{ "type": "Domain", "indicator": "codezian.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codezian.com", "alexa": "http://www.alexa.com/siteinfo/codezian.com", "indicator": "codezian.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3624372806, "indicator": "codezian.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dd118a237983ac414953b4", "name": "Qakbot\u2019s Evolution Continues with New Strategies", "description": "The Qakbot malware has been delivered to victims through spam emails and a fake OneNote page, according to research by Cyble Research Intelligence Labs (CRIL) and the University of California, Los Angeles.", "modified": "2023-03-05T13:00:59.217000", "created": "2023-02-03T13:52:10.103000", "tags": [ "qakbot", "stealer", "microsoft onenote", "malicious document", "maldoc" ], "references": [ "https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/", "https://cert-agid.gov.it/wp-content/uploads/2023/02/qakbot_02-02-2023.json_.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 21, "URL": 29, "FileHash-MD5": 20, "FileHash-SHA1": 17, "domain": 28 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "1183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbfeee919a77dec64e84c9", "name": "OneNote Documents Increasingly Used to Deliver Malware", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.", "modified": "2023-03-04T18:01:50.354000", "created": "2023-02-02T18:20:28.978000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "quasar", "xworm", "agenttesla", "redline", "netwire", "powershell", "lnk file" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Netwire", "display_name": "Netwire", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 429, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e0ba96af987d29c17f2298", "name": "Threat Intel Report - W6-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-08T08:04:26.856000", "created": "2023-02-06T08:30:14.537000", "tags": [], "references": [ "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/", "https://www.senderscore.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 163, "hostname": 74, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 44, "CVE": 7, "domain": 127 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbba3db89d0976b0215e5a", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest cyber threats and security threats at a wide range of sites.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:27:25.874000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "january", "sha256", "december", "proofpoint", "asyncrat c2", "english", "ta577", "quasar rat", "agenttesla", "redline", "netwire", "protect", "small", "tools", "february", "virustotal", "christmas", "powershell", "quasarrat", "download", "open", "wind", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "URL": 40, "domain": 17, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dabad25d22ffe348071e47", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.", "modified": "2023-03-03T19:01:18.095000", "created": "2023-02-01T19:17:38.250000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "asyncrat c2", "ta577", "quasar rat", "agenttesla", "redline", "tools", "powershell", "quasarrat" ], "references": [ "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sbik_intel", "id": "210787", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "domain": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dda042991e2bb0d452c003", "name": "Twitter Feed - Certego_Intel - 03-02-2023", "description": "", "modified": "2023-02-04T00:01:06.939000", "created": "2023-02-04T00:01:06.939000", "tags": [ "malware", "Qakbot" ], "references": [ "https://twitter.com/Certego_Intel/status/1621453458418143239" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/", "https://cert-agid.gov.it/wp-content/uploads/2023/02/qakbot_02-02-2023.json_.txt", "https://www.senderscore.org/", "https://www.dnsbl.info/", "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware", "https://twitter.com/Certego_Intel/status/1621453458418143239", "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/", "https://www.spamhaus.org/xbl/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/" ], "related": { "alienvault": { "adversary": [ "TA577" ], "malware_families": [ "Remcos", "Xworm", "Netwire", "Asyncrat", "Qbot", "Redline", "Qakbot", "Doubleback", "Quasar" ], "industries": [ "Industrial", "Manufacturing", "Education" ] }, "other": { "adversary": [ "TA577" ], "malware_families": [ "Xworm", "Bec", "Asyncrat", "Onenote", "Qbot", "Doubleback", "Quasar" ], "industries": [ "Industrial", "Manufacturing", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dd118a237983ac414953b4", "name": "Qakbot\u2019s Evolution Continues with New Strategies", "description": "The Qakbot malware has been delivered to victims through spam emails and a fake OneNote page, according to research by Cyble Research Intelligence Labs (CRIL) and the University of California, Los Angeles.", "modified": "2023-03-05T13:00:59.217000", "created": "2023-02-03T13:52:10.103000", "tags": [ "qakbot", "stealer", "microsoft onenote", "malicious document", "maldoc" ], "references": [ "https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/", "https://cert-agid.gov.it/wp-content/uploads/2023/02/qakbot_02-02-2023.json_.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 21, "URL": 29, "FileHash-MD5": 20, "FileHash-SHA1": 17, "domain": 28 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "1183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbfeee919a77dec64e84c9", "name": "OneNote Documents Increasingly Used to Deliver Malware", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.", "modified": "2023-03-04T18:01:50.354000", "created": "2023-02-02T18:20:28.978000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "quasar", "xworm", "agenttesla", "redline", "netwire", "powershell", "lnk file" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Netwire", "display_name": "Netwire", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 429, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e0ba96af987d29c17f2298", "name": "Threat Intel Report - W6-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-08T08:04:26.856000", "created": "2023-02-06T08:30:14.537000", "tags": [], "references": [ "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/", "https://www.senderscore.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 163, "hostname": 74, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 44, "CVE": 7, "domain": 127 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbba3db89d0976b0215e5a", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest cyber threats and security threats at a wide range of sites.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:27:25.874000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "january", "sha256", "december", "proofpoint", "asyncrat c2", "english", "ta577", "quasar rat", "agenttesla", "redline", "netwire", "protect", "small", "tools", "february", "virustotal", "christmas", "powershell", "quasarrat", "download", "open", "wind", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "URL": 40, "domain": 17, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dabad25d22ffe348071e47", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.", "modified": "2023-03-03T19:01:18.095000", "created": "2023-02-01T19:17:38.250000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "asyncrat c2", "ta577", "quasar rat", "agenttesla", "redline", "tools", "powershell", "quasarrat" ], "references": [ "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sbik_intel", "id": "210787", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "domain": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dda042991e2bb0d452c003", "name": "Twitter Feed - Certego_Intel - 03-02-2023", "description": "", "modified": "2023-02-04T00:01:06.939000", "created": "2023-02-04T00:01:06.939000", "tags": [ "malware", "Qakbot" ], "references": [ "https://twitter.com/Certego_Intel/status/1621453458418143239" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codezian.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codezian.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://codezian.com/Nt57/300123.gif", "status": "offline", "threat": "malware_download", "date_added": "2023-01-31", "tags": [ "dll", "Qakbot", "qbot", "Quakbot" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780264264.984929 }