Found 17 bookmarks
Custom sorting
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
  • In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. * The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
#thedfirreport#EN#2024#2023#incident#incident-analysis#IcedID#OneNote#FileZilla#Nokoyawa#ransomware
·thedfirreport.com·
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
Emotet resumes spam operations, switches to OneNote
Emotet resumes spam operations, switches to OneNote
  • Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus. * Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16. * Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. * The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.
#talosintelligence#EN#2023#Emotet#OneNote
·blog.talosintelligence.com·
Emotet resumes spam operations, switches to OneNote
OneNote Embedded file abuse
OneNote Embedded file abuse
In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. I first observed this OneNote abuse in the media via Didier’s post. This was later also mentioned in Xavier’s ISC diary and on the podcast. Later, in the beginning of February, the hacker news covered this as well.
#nviso#EN#2023#OneNote#abuse#technical#report
·blog.nviso.eu·
OneNote Embedded file abuse
Onenote Malware: Classification and Personal Notes
Onenote Malware: Classification and Personal Notes
During the past 4 months Microsoft Onenote file format has been (ab)used as Malware carrier by different criminal groups. While the main infection vector is still on eMail side - so nothing really relevant to write on - the used techniques, the templates and the implemented code to inoculate Malware changed a lot. So it…
#marcoramilli#EN#2023#OneNote#abused#technical#Malware
·marcoramilli.com·
Onenote Malware: Classification and Personal Notes
Detecting OneNote Abuse
Detecting OneNote Abuse
OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the research paper published by Emeric Nasi.
#withsecure#2023#EN#Attack-detection#OneNote#Office#LNK
·labs.withsecure.com·
Detecting OneNote Abuse
OneNote Documents Increasingly Used to Deliver Malware
OneNote Documents Increasingly Used to Deliver Malware
Key Findings: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.
#proofpoint#EN#2023#OneNote#Documents#Malware#AsyncRAT#IoCs#Redline#AgentTesla#DOUBLEBACK
·proofpoint.com·
OneNote Documents Increasingly Used to Deliver Malware
Emotet resumes spam operations, switches to OneNote
Emotet resumes spam operations, switches to OneNote
* Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus. * Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16. * Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. * The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.
#talosintelligence#EN#2023#Emotet#OneNote
·blog.talosintelligence.com·
Emotet resumes spam operations, switches to OneNote
OneNote Embedded file abuse
OneNote Embedded file abuse
In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. I first observed this OneNote abuse in the media via Didier’s post. This was later also mentioned in Xavier’s ISC diary and on the podcast. Later, in the beginning of February, the hacker news covered this as well.
#nviso#EN#2023#OneNote#abuse#technical#report
·blog.nviso.eu·
OneNote Embedded file abuse
Onenote Malware: Classification and Personal Notes
Onenote Malware: Classification and Personal Notes
During the past 4 months Microsoft Onenote file format has been (ab)used as Malware carrier by different criminal groups. While the main infection vector is still on eMail side - so nothing really relevant to write on - the used techniques, the templates and the implemented code to inoculate Malware changed a lot. So it…
#marcoramilli#EN#2023#OneNote#abused#technical#Malware
·marcoramilli.com·
Onenote Malware: Classification and Personal Notes
Detecting OneNote Abuse
Detecting OneNote Abuse
OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the research paper published by Emeric Nasi.
#withsecure#2023#EN#Attack-detection#OneNote#Office#LNK
·labs.withsecure.com·
Detecting OneNote Abuse
OneNote Documents Increasingly Used to Deliver Malware
OneNote Documents Increasingly Used to Deliver Malware
Key Findings: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.
#proofpoint#EN#2023#OneNote#Documents#Malware#AsyncRAT#IoCs#Redline#AgentTesla#DOUBLEBACK
·proofpoint.com·
OneNote Documents Increasingly Used to Deliver Malware