As a trick to increase the click rate, threat actors purposely arrange copies of the script across the width of the button image.įigure 2. When a user clicks the button image, the batch script is implicitly clicked and executed, prompting a security warning that recipients often ignore. The OneNote document contains only one section with a ‘click to view document’ button image placed right above the batch script. MailMarshal console showing the suspicious batch file, images and text contained in the OneNote notebook. The email has a sense of urgency trying to push victims to open the OneNote attachment.įigure 1. This campaign starts with threat actors emailing potential victims claiming that they have an unpaid invoice. We’ll also quickly analyze other notable malware strains such as Qakbot and RemcosRAT. Part 2 of this series discusses an AsyncRAT infection chain while detailing important parts of the code. In part one, we examined how threat actors abuse a OneNote document to install an infostealer.
0 Comments
Leave a Reply. |