{ "type": "URL", "indicator": "https://microbraintechnology.com/p2Egzpf/09.gif", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://microbraintechnology.com/p2Egzpf/09.gif", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3633030868, "indicator": "https://microbraintechnology.com/p2Egzpf/09.gif", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386702, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63ead41ef16a44666614c840", "name": "URLHaus data - 13-02-2023", "description": "", "modified": "2023-03-24T12:05:47.229000", "created": "2023-02-14T00:21:50.863000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "arm", "hajime", "gafgyt", "Adobe Reader", "Agilable Consulting Inc", "batloader", "msi", "Landing Page", "Agileable Consulting Inc", "LibreOffice", "x86-32", "dropped-by-amadey", "RedLineStealer", "ascii", "Amadey", "dropped-by-PrivateLoader", "SocGholish", "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "USA", "min-headers", "exe", "Loki", "zip", "dofoil", "encrypted", "Smoke Loader", "Formbook", "bat", "dcrat", "Aurora", "FakeBat", "Malvertising", "Kutaki", "GuLoader", "DDoS Bot", "ua-wget", "RecordBreaker", "AgentTesla", "1234", "Password-protected", "Encoded", "script", "SnakeKeylogger", "njRAT", "32", "motorola", "sparc", "renesas", "PowerPC", "intel", "shellscript" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 27, "hostname": 8 }, "indicator_count": 1034, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Qakbot", "Asyncrat", "Remcos" ], "industries": [], "unique_indicators": 93 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 2297 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microbraintechnology.com", "whois": "http://whois.domaintools.com/microbraintechnology.com", "domain": "microbraintechnology.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386702, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63ead41ef16a44666614c840", "name": "URLHaus data - 13-02-2023", "description": "", "modified": "2023-03-24T12:05:47.229000", "created": "2023-02-14T00:21:50.863000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "arm", "hajime", "gafgyt", "Adobe Reader", "Agilable Consulting Inc", "batloader", "msi", "Landing Page", "Agileable Consulting Inc", "LibreOffice", "x86-32", "dropped-by-amadey", "RedLineStealer", "ascii", "Amadey", "dropped-by-PrivateLoader", "SocGholish", "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "USA", "min-headers", "exe", "Loki", "zip", "dofoil", "encrypted", "Smoke Loader", "Formbook", "bat", "dcrat", "Aurora", "FakeBat", "Malvertising", "Kutaki", "GuLoader", "DDoS Bot", "ua-wget", "RecordBreaker", "AgentTesla", "1234", "Password-protected", "Encoded", "script", "SnakeKeylogger", "njRAT", "32", "motorola", "sparc", "renesas", "PowerPC", "intel", "shellscript" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 27, "hostname": 8 }, "indicator_count": 1034, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://microbraintechnology.com/p2Egzpf/09.gif", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://microbraintechnology.com/p2Egzpf/09.gif", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "USA" ], "date_added": "2023-02-13", "last_online": "", "reporter": "abuse_ch", "host": "microbraintechnology.com", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780329562.877327 }