![]() ![]() ![]() Overview of Observed TTPs and Characteristics OneNote file builders, which can be used to generate malicious OneNote files on the fly, are also being advertised on criminal forums. While much of the early waves of OneNote files were used to deliver a custom loader popular with access brokers - a technique commonly used to deliver payloads such as AsyncRAT, QuasarRAT and Redline Stealer - OneNote files have now been adopted by high-end eCrime adversaries such as LUNAR SPIDER and MALLARD SPIDER. OneNote files can be configured to contain embedded HTA, LNK and EXE files, which is likely of high value to eCrime actors to embed and distribute malicious files. ![]() While many adversaries continue to abuse search engines, since early January 2023, CrowdStrike Intelligence and Falcon Complete have observed a sharp rise in eCrime adversaries abusing OneNote files to deliver payloads. Initially, this change saw adversaries move to methods such as malvertising and search engine optimization poisoning. Comparison of likely malicious ISO and OneNote files submitted to a public malware repository by month, October 2022-February 2023 (Click to enlarge) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |