{ "type": "Domain", "indicator": "ezintern.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ezintern.com", "alexa": "http://www.alexa.com/siteinfo/ezintern.com", "indicator": "ezintern.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3624898031, "indicator": "ezintern.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63eb0fef80c9eb5de1221d4e", "name": "eSentire | OneNote Payload Smuggling: Multiple Threats Leverage\u2026", "description": "eSentire offers a comprehensive range of security services, including multi-signal MDR services for small to medium businesses, managed risk management services and a dedicated Cyber Risk Advisor. Learn More", "modified": "2023-02-14T04:37:03.377000", "created": "2023-02-14T04:37:03.377000", "tags": [ "qakbot", "quasar", "qakbot onenote", "redline", "onenote", "figure", "threat response", "unit", "february", "hta file", "html", "endpoint", "quasar rat", "quasarrat", "powershell", "open", "cyber", "asyncrat", "redline stealer", "bumblebee", "malware", "emotet", "twitter", "phishing" ], "references": [ "https://www.esentire.com/blog/onenote-payload-smuggling-multiple-threats-leverage-onenote-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Qakbot OneNote", "display_name": "Qakbot OneNote", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChaiPatti", "id": "217274", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217274/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 31 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "1202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/", "https://www.esentire.com/blog/onenote-payload-smuggling-multiple-threats-leverage-onenote-to-deliver-malware", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Remcos", "Qakbot", "Asyncrat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Redline", "Quasar", "Qakbot onenote", "Qakbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63eb0fef80c9eb5de1221d4e", "name": "eSentire | OneNote Payload Smuggling: Multiple Threats Leverage\u2026", "description": "eSentire offers a comprehensive range of security services, including multi-signal MDR services for small to medium businesses, managed risk management services and a dedicated Cyber Risk Advisor. Learn More", "modified": "2023-02-14T04:37:03.377000", "created": "2023-02-14T04:37:03.377000", "tags": [ "qakbot", "quasar", "qakbot onenote", "redline", "onenote", "figure", "threat response", "unit", "february", "hta file", "html", "endpoint", "quasar rat", "quasarrat", "powershell", "open", "cyber", "asyncrat", "redline stealer", "bumblebee", "malware", "emotet", "twitter", "phishing" ], "references": [ "https://www.esentire.com/blog/onenote-payload-smuggling-multiple-threats-leverage-onenote-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Qakbot OneNote", "display_name": "Qakbot OneNote", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChaiPatti", "id": "217274", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217274/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 31 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "1202 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ezintern.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ezintern.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://ezintern.com/QdQjTTR/OI.png", "status": "offline", "threat": "malware_download", "date_added": "2023-02-02", "tags": [ "BB12", "dll", "Qakbot", "qbot", "Quakbot", "TR" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780277828.890708 }