This weblog was co-written with Kristen Perreault – Skilled Cybersecurity andJames Rodriguez – Sr. Specialist Cybersecurity.

Government abstract

Since December twenty second, 2022, there was a rise in malware despatched by way of Phishing emails by way of a OneNote attachment. As with most phishing emails, the top person would open the OneNote attachment however not like Microsoft Phrase or Microsoft Excel, OneNote doesn’t assist macros. That is how risk actors beforehand launched scripts to put in malware.

Minimal documentation has been made in direction of the techniques, strategies, and procedures (TTP’s) noticed in these assaults. A few of the TTP’s noticed included executions of Powershell.exe utilization and Curl.exe as soon as a hidden course of was ran. As soon as the hidden executable was clicked on, a connection was made to an exterior web site to try to put in and execute malware. As soon as executed the attacker will unload extra malicious recordsdata and achieve inside info from throughout the group. On this case, malicious recordsdata had been detected and mitigated by SentinelOne.

Investigation

Preliminary Alarm Evaluate

Indicators of Compromise (IOC)

The preliminary alarm got here in for malware being detected by SentinelOne which was a .One file kind. The file sourced from Outlook indicated this was doubtless a phishing e-mail. Shortly after receiving the preliminary alarm, the MES SOC Risk Hunters (SECTOR Staff) had been alerted by a buyer experiencing this exercise and commenced their deep dive. Upon getting into the file hash obtained from the SentinelOne occasion, no discernible info relating to the file’s objective was uncovered. This prompted SECTOR to make the most of Deep Visibility to achieve additional perception into the method and objective of the detected file.

Deep Visibility is a characteristic inside SentinelOne that gives complete perception into the actions and behaviors of threats inside a community surroundings. This characteristic permits safety groups, resembling SECTOR, to research and reply to threats by offering better perception in processes, community connections, and file actions. It’s an extremely highly effective software in SentinelOne and is often used in the course of the Incident Response course of.

Expanded investigation

Occasions Search

A search string was created for Deep Visibility which included the file identify and related file hashes. An occasion in SentinelOne was discovered that included a Curl.exe course of with the exterior area minaato[.]com. When reviewing the area additional, it was decided that this was a file sharing web site and extra malicious indicators had been uncovered. Analyzing the DNS request to minaato[.]com, confirmed occasions with the supply course of mshta.exe with the goal course of curl.exe, and the mother or father technique of onenote.exe. This chain of processes had been the heuristic (behavioral) attributes that prompted SentinelOne to fireside off an alert. Using these TTP and former supply processes, a brand new question was generated to search out any potential file populating the identical exercise. This led SECTOR to detect one other file beneath Cancellation[.]one.

Occasion Deep Dive

SECTOR started their occasion deep dive with an preliminary IOC based mostly search question that included the file identify and the area that generated outbound community connections.

Pivoting off of the outcomes from the preliminary IOC based mostly search question, SECTOR created a secondary search question that included a number of file names, domains, and hashes that had been discovered. These IOCs had not been beforehand found within the wild however as soon as they had been discovered, SECTOR supplied them to the AT&T AlienLabs staff for extra detection engines, correlation guidelines, and OTX (AT&T Open Risk Change Platform) pulse updates.

After gathering all of the IOCs, a 3rd heuristic-based search question was created. This new question aimed to search out any remaining occasions associated to the malware that SentinelOne won’t have alerted on, because it primarily focuses on execution-based actions somewhat than behavior-based ones. This demonstrates the significance of utilizing risk looking at the side of SentinelOne’s Deep Visibility characteristic for enhanced safety.

Within the ultimate stage of the occasion search, SECTOR created a ultimate heuristic search question that detected any outreach to a website with the identical behavioral attributes noticed on this surroundings. Though the outcomes contained false positives, they had been capable of sift by way of and discover an occasion the place the “ping.exe” command efficiently communicated with the malicious area, “minaato[.]com”. On this case, SentinelOne didn’t alert on this exercise on account of it being a typical course of execution.

Response

Constructing the Investigation

After gathering all needed info and occasion findings, SECTOR was capable of pull the malicious OneNote file and detonate it inside their sandbox surroundings. They had been then capable of see that when the file was opened, the malicious hyperlink was hidden beneath an overlayed inventory Microsoft picture that requested the person to click on open. This then introduced the person to the malicious area, minaato[.]com.

SECTOR supplied all information gathered from this risk hunt to the affected clients and fellow CyberSecurity Groups inside AT&T for situational consciousness.

Buyer interplay

The affected clients got remediation steps based mostly on the precise exercise they skilled with this malware. A few of them had been efficiently compromised, whereas others had been capable of keep away from any execution or downloads in affiliation with the malware itself. These remediation steps included eradicating all recordsdata from the affected units, resetting all person passwords for finest practices, scanning property to make sure no additional unauthorized or malicious exercise was occurring within the background, globally blocking all IOC’s, and implementing block guidelines on their firewalls.

IOCS