While much of the early waves of OneNote files were used to deliver a custom loader popular with access brokers - a technique commonly used to deliver payloads such as AsyncRAT, QuasarRAT and Redline Stealer - OneNote files have now been adopted by high-end eCrime adversaries such as LUNAR SPIDER and MALLARD SPIDER. OneNote files can be configured to contain embedded HTA, LNK and EXE files, which is likely of high value to eCrime actors to embed and distribute malicious files. While many adversaries continue to abuse search engines, since early January 2023, CrowdStrike Intelligence and Falcon Complete have observed a sharp rise in eCrime adversaries abusing OneNote files to deliver payloads. Initially, this change saw adversaries move to methods such as malvertising and search engine optimization poisoning. Comparison of likely malicious ISO and OneNote files submitted to a public malware repository by month, October 2022-February 2023 (Click to enlarge)
0 kommentar(er)
