Ransomware/Malware Activity

Recent Uptick in Malicious Microsoft OneNote Attachments Identified in Phishing Campaigns

Security researchers have noted a recent uptick in phishing campaigns utilizing Microsoft OneNote attachments to spread malware. Phishing emails typically contain Microsoft Word documents or Excel files that are embedded with malicious macros as well as ISO images or password-protected ZIP files. With Microsoft disabling default macros, threat actors have turned to OneNote, the digital notebook application included by default in Microsoft Office 2019 and Microsoft 365, which can be used to open the OneNote file format despite not being used by the user. In December 2022, Trustwave SpiderLabs researchers noted actors leveraging Microsoft OneNote documents to spread the "Formbook" malware, an information-stealing trojan sold as malware-as-a-service since mid-2016. Once the attachment was opened, a large "View Document" image was shown over a blurred document that had malicious attachments underneath. When the researchers clicked on the image (and hidden attachments), a Windows Script File (WSF) was executed, and a standard security warning was shown. If a user was to click "OK" on the warning, a decoy OneNote file and an executable containing the malware payload would be downloaded. Threat actors then have the ability to remotely access the compromised device to exfiltrate files, save browser passwords, and take screenshots. Rare cases of recording video with the machine's webcam have also been identified. Additional campaigns have been recently identified leveraging OneNote, including campaigns using DHL shipping notification, invoice, ACH Remittance form, mechanical drawing, and shipping document lures. CTIX analysts urge Microsoft users to be vigilant against suspicious emails and, if an attachment prompts a security warning upon opening, to reevaluate the received email and attachment.

Threat Actor Activity

Vice Society Shifts to Targeting Manufacturing with Custom Ransomware Variant

Threat actors from the Vice Society group have opened the new year by targeting organizations throughout the manufacturing industry with a variety of attacks. Vice Society is a Russian-speaking threat group that historically targeted the healthcare industry in their ransomware operations, among other attacks. Recently, Vice Society has shifted to exploiting manufacturing organizations with custom ransomware scripts developed with advanced encryption methods. The typical flow of these attacks commonly begins with Vice Society actors exploiting vulnerable public-facing software or using compromised credentials sold on dark web marketplaces. Once compromised, threat actors deploy Cobalt Strike to control and maintain the infected endpoint, followed by the installation of several other malicious scripts for lateral network movement, credential dumping (Mimikatz) and copying of files (Kape). Occasionally Vice Society will deploy the Zeppelin ransomware strain, but often opt to use custom ransomware as Zeppelin's encryption is weaker. Since November 2022, Vice Society activity has been detected throughout thirty-four (34) manufacturing organizations, all of which appear to reside in Brazil. Activity from the Vice Society organization is predicted to continue in the months to come across several industries including communications, healthcare, insurance, and manufacturing. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.


High Severity iOS Flaw Allows for RCE on Older Vulnerable Models

Apple has patched an actively exploited critical iOS zero-day vulnerability affecting older models of the iPhone, iPad, and iPod touch devices. The flaw, tracked as CVE-2022-42856, is described as a type confusion bug impacting the browser engine in Apple's Webkit browser. Attackers could exploit this flaw by socially engineering a victim into clicking a link to a maliciously crafted actor-controlled website. Successful exploitation would give attackers the ability to conduct arbitrary remote code execution (RCE) on the vulnerable operating system, from which they could perform further malicious activity like moving laterally across the network, creating privileged user accounts, and dropping malware or ransomware payloads. Due to its active exploitation, The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerability (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw no later than January 4, 2023. At this time, Apple has not released the technical details of the exploit, allowing as many of their users to upgrade their operating systems as possible. With the exploitation relying on an older model iOS device, it is likely that any active exploitation attempts were highly targeted. That being said, CTIX analysts urge any and all iOS customers still using the devices listed in Apple's advisory, to upgrade their operating systems immediately to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.