← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
A Noteworthy Threat: How Cybercriminals are Abusing OneNote
WHITE AlienVault 2023-03-08 Modified: 2023-04-08
65
IOCs
HIGH VOLUME
Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.
OneNoteAsyncRATQakbotRemcos RAT
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
AsyncRAT Remcos QakBot
Indicators of Compromise (65)
All FileHash-SHA1 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 2046c77280cb39966b1bbbcab6bdf3d35f5bd72a 2023-03-08
FileHash-SHA1 5a513d230db2bd983575be5902ee2db07dad96c1 2023-03-08
URL http://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip 2023-03-08
domain evilextractor.com 2023-03-08
FileHash-SHA1 1523e0e1f454e480e6e2f8c0282d3fa6ed589059 2023-03-08
FileHash-SHA1 360c70c00d6c2804b3b64f53ef2b68a7e9d79016 2023-03-08
FileHash-SHA1 7a0ccfb531bdc864a87bd47ce4af91e4243d9c9b 2023-03-08
FileHash-SHA1 9ff9c3c674cfd13e2ed6199815d5f1287cd95ff2 2023-03-08
FileHash-SHA1 a2bbfb23b51cb1f2bb213dfe410601bc7fa53875 2023-03-08
FileHash-SHA1 adb39f9a5f7d82e3886f551418344761f1e668df 2023-03-08
FileHash-SHA1 ce7a8a6a8fdc7846b9022a746c39a00a6eb4d19c 2023-03-08
FileHash-SHA1 d2fd7053dc13293a02851cb74837d0788dc1d159 2023-03-08
domain 10974543.one 2023-03-08
domain 372068.one 2023-03-08
URL https://unitedmedicalspecialties.com/T1Gpp/OI.png 2023-03-09
URL http://notefudeal.com/images/15093.png 2023-03-09
URL http://waojernote.com/images/1.gif 2023-03-09
URL https://casualscollection.com/l2iy4Dn/09.gif 2023-03-09
URL https://codezian.com/Nt57/300123.gif 2023-03-09
URL https://energizett.com/1llNOC1/300123.gif 2023-03-09
URL https://ezintern.com/QdQjTTR/OI.png 2023-03-09
URL https://fcs-courier.com/ntDAqGR/OI.png 2023-03-09
URL https://finetuning-digital.com/wRuLe/01.gif 2023-03-09
URL https://laoitserv.com/Vos/00.gif 2023-03-09
URL https://microbraintechnology.com/p2Egzpf/09.gif 2023-03-09
URL https://myvigyan.com/m1YPt/300123.gif 2023-03-09
URL https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe 2023-03-09
URL https://ozcontests.com/tE3xt/01.png 2023-03-09
URL https://plasticsurgerydubaiuae.com/43wxl/OI.png 2023-03-09
URL https://preproddemo.com/CS40KM/d.gif 2023-03-09
URL https://rmbonlineshop.com/VV71d8/300123.gif 2023-03-09
URL https://sahifatinews.com/jZbaw/01.png 2023-03-09
URL https://sellscentre.com/1RnB/i.gif 2023-03-09
URL https://shifa365.com/hgxU5/01.gif 2023-03-09
URL https://somosacce.org/aswyw/01.gif 2023-03-09
URL https://starcomputadoras.com/lt2eLM6/01.gif 2023-03-09
URL https://tassoinmobiliaria.com/56G0/01.gif 2023-03-09
URL https://thetwindollar.com/L7PJjN/01.png 2023-03-09
URL https://vielagroglobal.com/Yto/00.gif 2023-03-09
domain casualscollection.com 2023-03-09
domain codezian.com 2023-03-09
domain ehonlionetodo.com 2023-03-09
domain energizett.com 2023-03-09
domain ezintern.com 2023-03-09
domain fcs-courier.com 2023-03-09
domain finetuning-digital.com 2023-03-09
domain laoitserv.com 2023-03-09
domain microbraintechnology.com 2023-03-09
domain myvigyan.com 2023-03-09
domain notefudeal.com 2023-03-09
domain oiartzunirratia.eus 2023-03-09
domain ozcontests.com 2023-03-09
domain plasticsurgerydubaiuae.com 2023-03-09
domain preproddemo.com 2023-03-09
domain renomesolar.com 2023-03-09
domain rmbonlineshop.com 2023-03-09
domain sahifatinews.com 2023-03-09
domain sellscentre.com 2023-03-09
domain shifa365.com 2023-03-09
domain somosacce.org 2023-03-09
domain starcomputadoras.com 2023-03-09
domain tassoinmobiliaria.com 2023-03-09
domain thetwindollar.com 2023-03-09
domain vielagroglobal.com 2023-03-09
domain waojernote.com 2023-03-09
References (2)
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/ ↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/