Pulse Detail — Threat Intelligence

PULSE NAME

OneNote Spear-Phishing Campaign | Trustwave

WHITE jeffchandy 2023-03-10 Modified: 2023-04-09

171

IOCs

HIGH VOLUME

Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1012 T1027 T1047 T1053 T1055 T1059 T1071 T1082 T1083 T1112 T1140 T1204 T1218 T1222 T1547 T1566 T1614

Indicators of Compromise (171)

All URL domain FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://unitedmedicalspecialties.com/T1Gpp/OI.png	—	2023-03-10
domain	unitedmedicalspecialties.com	—	2023-03-10
URL	https://github.co/hiddenchars	—	2023-03-10
URL	https://shifa365.com/hgxU5/01.gif	—	2023-03-10
FileHash-SHA1	13697ddb77c6cdfb0fba6bc2eae680b44cefd47d	—	2023-03-10
FileHash-SHA1	dd16fd294e7776277435bac34c4bdac60263281d	—	2023-03-10
FileHash-SHA256	2a84822a832da97f1ea76cf989a357ec70c85713a2fd8f14c8421b76bbffe38c	—	2023-03-10
FileHash-SHA256	31098c260cfd1b298d66d3170a5fd36976c0cf565ae62342fe29ae956ea1a712	—	2023-03-10
FileHash-SHA256	364f42164f94dc982f254c9d29e6b65ebbade2c694345c614b473be2c0ea0d2f	—	2023-03-10
FileHash-SHA256	4431c92454e67e8f49466a8b74ff463f73867fafbb583139ea8d1a701b83ed4b	—	2023-03-10
FileHash-SHA256	581425c0eaaa5e5e53c5b736f58a14dbe5d38b0be425901738ad0670bd1d5a33	—	2023-03-10
FileHash-SHA256	67fe92411616822c2a74beb8347a2fc998e13d478a36f755073f9fcc2b2189a2	—	2023-03-10
FileHash-SHA256	746f517e662ac54e35f4add942333985e2f4df99621841bb6a3adbd13f6de74f	—	2023-03-10
FileHash-SHA256	90946c4665a4dd0dd5d3bd7e3e65a81f1ada5c0a2bf17079fc019d8c2b7926c9	—	2023-03-10
FileHash-SHA256	a7e1a26cfcaa05d4a187e9f84bd61f933e0d1e3fd91f20af5673d2ae8c158daf	—	2023-03-10
FileHash-SHA256	af85314c2860cc7331b9fe71a52a7ff667613e03903f28e670396391175c4b85	—	2023-03-10
FileHash-SHA256	b06e8fbc74ec08a73d9610d5ce48fb56d227bf378e7114265ca6f43cc0fbf35d	—	2023-03-10
FileHash-SHA256	bab24075f47b758367bc3273d68d88b97a1ba9b6b065d98ada43548edbd015e6	—	2023-03-10
FileHash-SHA256	ec6b4da9331f974bb9e9f2e39e497b3c81ccfc39625bf8c29554351e8414b559	—	2023-03-10
FileHash-SHA256	f0f1a6e7656a707998056eec6d251178e0388a52869059b9f4c597047f12d9e0	—	2023-03-10
FileHash-SHA256	f50857f6f4f83126dfae2000f00f724419f08cab9b0e6d955a4683e0c91a8c25	—	2023-03-10
URL	http://103.214.71.45/14703.dat	—	2023-03-10
URL	http://103.214.71.45/19680.dat	—	2023-03-10
URL	http://103.214.71.45/47993.dat	—	2023-03-10
URL	http://103.214.71.45/55528.dat	—	2023-03-10
URL	http://139.99.117.17/15674.dat	—	2023-03-10
URL	http://139.99.117.17/20830.dat	—	2023-03-10
URL	http://139.99.117.17/24856.dat	—	2023-03-10
URL	http://139.99.117.17/37381.dat	—	2023-03-10
URL	http://139.99.117.17/49860.dat	—	2023-03-10
URL	http://139.99.117.17/52809.dat	—	2023-03-10
URL	http://139.99.117.17/62119.dat	—	2023-03-10
URL	http://139.99.117.17/70039.dat	—	2023-03-10
URL	http://139.99.117.17/79875.dat	—	2023-03-10
URL	http://141.164.35.94/14711.dat	—	2023-03-10
URL	http://141.164.35.94/27863.dat	—	2023-03-10
URL	http://141.164.35.94/50074.dat	—	2023-03-10
URL	http://141.164.35.94/55199.dat	—	2023-03-10
URL	http://141.164.35.94/59649.dat	—	2023-03-10
URL	http://141.164.35.94/60892.dat	—	2023-03-10
URL	http://141.164.35.94/60934.dat	—	2023-03-10
URL	http://141.164.35.94/67262.dat	—	2023-03-10
URL	http://141.164.35.94/76507.dat	—	2023-03-10
URL	http://141.164.35.94/82255.dat	—	2023-03-10
URL	http://146.59.43.159/780683.dat	—	2023-03-10
URL	http://154.7.253.191/72363.dat	—	2023-03-10
URL	http://174.139.150.45/653219.dat	—	2023-03-10
URL	http://179.43.175.187/hgmy/XWormClientnew.bat	—	2023-03-10
URL	http://185.104.195.95/17117.dat	—	2023-03-10
URL	http://185.104.195.95/32752.dat	—	2023-03-10
URL	http://185.104.195.95/53762.dat	—	2023-03-10
URL	http://185.104.195.95/55035.dat	—	2023-03-10
URL	http://185.104.195.95/64557.dat	—	2023-03-10
URL	http://185.104.195.95/76676.dat	—	2023-03-10
URL	http://185.104.195.95/81895.dat	—	2023-03-10
URL	http://185.104.195.95/84216.dat	—	2023-03-10
URL	http://185.104.195.95/87350.dat	—	2023-03-10
URL	http://185.231.204.245/73175.dat	—	2023-03-10
URL	http://216.120.201.100/60852.dat	—	2023-03-10
URL	http://216.146.25.57/11747.dat	—	2023-03-10
URL	http://45.155.37.124/44408.dat	—	2023-03-10
URL	http://45.155.37.170/300332.dat	—	2023-03-10
URL	http://45.77.63.210/760433.dat	—	2023-03-10
URL	http://45.86.231.23/39222.dat	—	2023-03-10
URL	http://49.50.84.121/17618.dat	—	2023-03-10
URL	http://49.50.84.121/19342.dat	—	2023-03-10
URL	http://49.50.84.121/19371.dat	—	2023-03-10
URL	http://49.50.84.121/24267.dat	—	2023-03-10
URL	http://49.50.84.121/33896.dat	—	2023-03-10
URL	http://49.50.84.121/56348.dat	—	2023-03-10
URL	http://49.50.84.121/57885.dat	—	2023-03-10
URL	http://49.50.84.121/67639.dat	—	2023-03-10
URL	http://49.50.84.121/81082.dat	—	2023-03-10
URL	http://5.42.221.116/197928.dat	—	2023-03-10
URL	http://5.42.221.117/41067.dat	80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880	2023-03-10
URL	http://77.75.230.128/17932.dat	—	2023-03-10
URL	http://77.75.230.128/42095.dat	—	2023-03-10
URL	http://77.75.230.128/45702.dat	—	2023-03-10
URL	http://85.239.41.55/703558.dat	—	2023-03-10
URL	http://87.236.146.155/553145.dat	—	2023-03-10
URL	http://87.236.146.31/38199.dat	—	2023-03-10
URL	http://91.234.254.213/74334.dat	—	2023-03-10
URL	http://91.234.254.213/78585.dat	—	2023-03-10
URL	http://91.235.234.97/43975.dat	—	2023-03-10
URL	http://91.235.234.97/55909.dat	—	2023-03-10
URL	http://91.235.234.97/59105.dat	—	2023-03-10
URL	http://91.235.234.97/64460.dat	—	2023-03-10
URL	http://91.235.234.97/77589.dat	—	2023-03-10
URL	http://95.179.215.225/13139.dat	—	2023-03-10
URL	http://95.179.215.225/30077.dat	—	2023-03-10
URL	http://95.179.215.225/31227.dat	—	2023-03-10
URL	http://95.179.215.225/66486.dat	—	2023-03-10
URL	http://95.179.215.225/74483.dat	—	2023-03-10
URL	http://95.179.215.225/79114.dat	—	2023-03-10
URL	http://95.179.215.225/80352.dat	—	2023-03-10
URL	http://98.142.254.89/452845.dat	—	2023-03-10
URL	http://ehonlionetodo.com/	—	2023-03-10
URL	http://notefudeal.com/images/15093.png	—	2023-03-10
URL	http://waojernote.com/images/1.gif	—	2023-03-10
URL	https://casualscollection.com/l2iy4Dn/09.gif	—	2023-03-10
URL	https://codezian.com/Nt57/300123.gif	—	2023-03-10
URL	https://energizett.com/1llNOC1/300123.gif	—	2023-03-10
URL	https://ezintern.com/QdQjTTR/OI.png	6c09a3f77e8a1ce36ffdf1bf0cff8aa9bb5c17616ba8f31db31d8b5946245362	2023-03-10
URL	https://fcs-courier.com/ntDAqGR/OI.png	—	2023-03-10
URL	https://finetuning-digital.com/wRuLe/01.gif	—	2023-03-10
URL	https://laoitserv.com/Vos/00.gif	—	2023-03-10
URL	https://microbraintechnology.com/p2Egzpf/09.gif	—	2023-03-10
URL	https://myvigyan.com/m1YPt/300123.gif	—	2023-03-10
URL	https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe	—	2023-03-10
URL	https://ozcontests.com/tE3xt/01.png	—	2023-03-10
URL	https://plasticsurgerydubaiuae.com/43wxl/OI.png	—	2023-03-10
URL	https://preproddemo.com/CS40KM/d.gif	—	2023-03-10
URL	https://renomesolar.com/users/3954321778/4200660454	cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f	2023-03-10
URL	https://rmbonlineshop.com/VV71d8/300123.gif	—	2023-03-10
URL	https://sahifatinews.com/jZbaw/01.png	—	2023-03-10
URL	https://sellscentre.com/1RnB/i.gif	—	2023-03-10
URL	https://somosacce.org/aswyw/01.gif	—	2023-03-10
URL	https://starcomputadoras.com/lt2eLM6/01.gif	—	2023-03-10
URL	https://tassoinmobiliaria.com/56G0/01.gif	—	2023-03-10
URL	https://thetwindollar.com/L7PJjN/01.png	—	2023-03-10
URL	https://vielagroglobal.com/Yto/00.gif	—	2023-03-10
domain	2fgithub.com	—	2023-03-10
domain	casualscollection.com	—	2023-03-10
domain	click.compare	—	2023-03-10
domain	click.contact	—	2023-03-10
domain	click.discover	—	2023-03-10
domain	click.open	—	2023-03-10
domain	click.org	—	2023-03-10
domain	click.talk	—	2023-03-10
domain	click.zero	—	2023-03-10
domain	codezian.com	—	2023-03-10
domain	continue.email	—	2023-03-10
domain	ehonlionetodo.com	—	2023-03-10
domain	energizett.com	—	2023-03-10
domain	ezintern.com	—	2023-03-10
domain	fcs-courier.com	—	2023-03-10
domain	finetuning-digital.com	—	2023-03-10
domain	github.co	—	2023-03-10
domain	laoitserv.com	—	2023-03-10
domain	microbraintechnology.com	—	2023-03-10
domain	myvigyan.com	—	2023-03-10
domain	notefudeal.com	—	2023-03-10
domain	oiartzunirratia.eus	—	2023-03-10
domain	ozcontests.com	—	2023-03-10
domain	plasticsurgerydubaiuae.com	—	2023-03-10
domain	preproddemo.com	—	2023-03-10
domain	renomesolar.com	—	2023-03-10
domain	repository.click	—	2023-03-10
domain	rmbonlineshop.com	—	2023-03-10
domain	sahifatinews.com	—	2023-03-10
domain	sellscentre.com	—	2023-03-10
domain	shifa365.com	—	2023-03-10
domain	signup.team	—	2023-03-10
domain	somosacce.org	—	2023-03-10
domain	starcomputadoras.com	—	2023-03-10
domain	submit.org	—	2023-03-10
domain	tassoinmobiliaria.com	—	2023-03-10
domain	thetwindollar.com	—	2023-03-10
domain	vielagroglobal.com	—	2023-03-10
domain	waojernote.com	—	2023-03-10
FileHash-SHA256	0517fa15fd6a2c5fec0eb5d2de2a737119b07887d2584bbfb852d1ac0fe5c974	—	2023-03-10
FileHash-SHA256	1ca3d3a009c79ccacde900aa1cac710aacf3958b7e1517884b9495ef33fa58cb	—	2023-03-10
FileHash-SHA256	1d1a8f707ec9ffbdb89c4f9f6548c5bae21fb199d85c769dd0e2540c7f3c8152	—	2023-03-10
FileHash-SHA256	3c6150abfa6405aa1fce705b8fd0f993de293ab4430a2ea55bb4042b458c46c9	—	2023-03-10
FileHash-SHA256	3e7a15ed2b448a4bb1f171aa5022795479a3dc7e5b3cda7fdf494dda4e0e4c1c	—	2023-03-10
FileHash-SHA256	459c6547781a411292ff89abed90daa6210b7b0a6b104941a55a23cc497d12ab	—	2023-03-10
FileHash-SHA256	cf29866d30838570d384a2155dad1ec79542d293e9abcc2b1fb60342761eace9	—	2023-03-10
FileHash-SHA256	e42954b5529c68b23bcd6ffc72a5cea22f19059ea5da8f800506c45e1a027320	—	2023-03-10
FileHash-SHA256	f7bb2ac5e64c156e1331a7ac85209cb7d56329594752e571b1e2affc23f15489	—	2023-03-10
URL	http://105.99.105.0	—	2023-03-10
URL	http://156.216.125.255	—	2023-03-10

References (1)

↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/