By Max Gannon
Cofense Intelligence recently uncovered a long-term phishing campaign wherein a threat actor experimented with a OneNote notebook hosted on OneDrive to deliver both malware and credential phishing. Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a “phishing notebook” multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls. Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign. By using a public repository, the threat actor left an easily trackable trail, giving crucial insight into the process and planning involved in abusing trusted cloud hosting sources.
We investigated the experiments housed in this OneNote notebook and found multiple sites and templates the threat actor tested. Figure 1 shows an example email delivered by this threat actor, which was found in an environment protected by Microsoft EOP and FireEye enterprise gateways.
Figure 1: Original email with link to OneNote, leading to a tiny[.]cc link
Cybercriminals can leverage a wide array of trusted cloud hosting sources for credential phishing. Most commonly, a convincing page contains a link to a malicious external website that houses the actual forms used to harvest information. This kind of page can be an image or document hosted on Microsoft Sway, Microsoft SharePoint, Google Docs, or even Zoho Docs. An example from the OneNote was hosted on Zoho Docs, as shown in Figure 2. Note that when looking to download the invoice, the threat actor used the SmartURL link shortening service to circumvent security scanners and trick end users.
Figure 2: Document hosted on Zoho Leads to credential phishing website
The OneNote also housed an example demonstrating how threat actors take direct advantage of a trusted service. In Figure 3, Office 365 credentials are phished through Google Forms, which threat actors can access in their Google accounts. Having a readily accessible service that requires no maintenance and effectively acts as a free database significantly lowers the upkeep needed for the credential phish. A downside is that these services have evolved to look for nefarious activity, and Google displays a warning at the bottom of the form that warns the user to “never submit passwords through Google Forms.” Other services such as Microsoft Forms and survey sites can also enable this type of attack.
Figure 3: Google forms credential phish
Another less common, yet noteworthy, technique is to host a document on a file-sharing site and entice end users to download and open the file. Files housed on DropBox, OneDrive, Google Drive, Box, and other popular services lure email recipients into clicking a link or entering credentials into a form that exfiltrates back to the threat actor. Ultimately, users face some spoof or bait that exploits innate trust for nefarious purposes.
On one end, legitimate cloud hosting services continue to improve their defenses against some of these attacks. Even if only used as an intermediary, takedown requests and scanning solutions aim to remove malicious content as quickly as possible. This response is usually in the case of malware or well-defined phishing portals, which do account for the bulk of the abuse. However, multiple exceptions exist, such as the use of Microsoft OneNote. Given that an operator can update OneNote notebooks at any time, takedowns become more difficult as the threat is harder to track. In this particular case we investigated, OneNote was updated ten or more times a day, consisting not only of changes to the links leading to external credential phishing pages but also to the makeup and “template” of the page itself. OneNote has a version history tool that enables some limited forensics for investigators, but it is relatively easy for a threat actor to remove prior versions. In this instance, the actor did not remove the version history until later in the experimentation process.
Cofense Intelligence tracked content updates by this threat actor over the span of two weeks. Examining the “version history” of these pages over time revealed numerous progressions in the layout, malware, and credential phishing pages. The threat actor went through four templates that delivered a credential phishing portal and unique malware samples. Figure 4 highlights the evolution cycle, as each template underwent several revisions and variations.
- In the first template, the operator chose to send two URLs: one with an Office 365 credential phishing site, and another that downloaded malware. Both links were later changed to download malware samples instead of the lure portal.
- The second template offered a single link, directly straight to the same Office 365 credential phishing site but on a different URL path.
- No credential phishing link was found in the third template, offering a link to different malware versions that the threat actor updated several times.
- The fourth template features a phish-only link yet again that alternated between providing one of several different Office 365 credential harvesting portals.
Figure 4: OneNote template progression
In all cases where malware was delivered, the malware was a “first stage” downloader, attempting to download an encrypted binary that then decrypted and ran in memory. This binary proved to be the Agent Tesla Keylogger, tasked with collecting and exfiltrating stored logins and keystrokes. Initially, the two “first stage” malware downloaders had their encrypted payloads stored on Google Drive. Newer loaders attempted to fetch payloads from a compromised host, the same host that provided the malware downloaders. The newer loaders did, however, fail to accomplish their tasks due to improper customization by the threat actor. Such error is indicative of a less-capable operator who leverages premade kits but falls short on modifying them.
Like many other phishing sites hosted on OneNote, this threat actor’s primary objective was to steal credentials. A short experiment of delivering Agent Tesla Keylogger proved lackluster, leading the operator to shun malware use in the long-term. This particular threat actor likely decided against using Agent Tesla due to a lack of experience, indicated by the several improperly configured versions of the malware. However, if threat actors continue to use a source typically exploited for credential phishing to deliver malware, this could quickly become problematic. Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective. If not properly addressed, this could pave the way to a prolific infection vector for malware.
Table 1: Indicators of Compromise
|Cofense Intelligence™ ATR ID||35838|
|Cofense Triage™ YARA Rule||PM_Intel_AgentTesla_35838|
|URLs Embedded in Email||hxxp://tiny[.]cc/5n9wiz|
|Destination URL Hosting OneNote Notebook||hxxps://1drv[.]ms/o/s!Ap0JWbG5JDSSgQhsghgIsxdnVKZi|
|Malware Download URLs||hxxps://www[.]farcastbio[.]com/wp-content/invoice%20file[.]pif|
|Malware Payload URLs (From Malware Downloader)||hxxps://www[.]hbyygb[.]cn/wp-content/plugins/hello-dolly/file1_encrypted_9099BFF[.]bin|
|Malware C2 (From Agent Tesla Keylogger)||mail[@]winwinmax[.]xyz|
HOW COFENSE CAN HELP
Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.
Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and the “Order Invoice-Agent Tesla Keylogger” template based on this threat, and remove the blind spot with Cofense Reporter.
Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.
Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
Update March 5, 2020: FireEye provided the following statement after reviewing our blog post: “As a member of the research community, FireEye extensively tracks campaigns targeting SaaS providers and end users in order to keep up with new adversary techniques. The company first saw this OneNote campaign on January 20th, 2020 and quickly deployed temporary protections. By February 7th, FireEye had added a new OneNote detection capability to FireEye Email Security, a service that is capable of preventing the attacks referenced in this blog post, in addition to new OneNote-based campaigns.”
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.