Hello and welcome to the Thursday, January 26, 2020,

3 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I mentioned a couple of podcasts ago about Microsoft's OneNote being abused in order to deliver

scripts to victims. Well, Xavier now wrote up one example to walk you through the process

of actually analyzing these malicious documents. The typical extension here is dot one and DDE.

Luckily, wrote a tool to help you analyze it. So that's what Xavier uses here in order to walk

you through how to extract the script in this particular case and introduce the mechanics of how these malicious

documents work. It all starts with, well, a one-note document, of course, that has a big click

to view a document button, and that's really sort of the entire or the big trick here, by clicking

the button, the user will inadvertently open a document

that will then launch the script.

If you wonder why that button is kind of big and ugly, well, part of it maybe to make it easier

to hit the button, but also the actual malicious script is then hidden behind the button.

The button is just a PNG and, well, serves not just to trigger execution, but also to hide the actual malicious content.

If you run into any documents like that, well, please forward them, always interested in a newish malware.

Blocking the dot one extension or dot on e, so it's spelled out, one extension is a commonly

recommended countermeasure here. Just be careful that users don't actually email OneNote documents to each other.

Typically, I see them being shared via cloud services, not so much as email attachments,

but certainly possible that some people are sending them around as email.

Now, one thing attackers like to install on compromised systems is software that allows them

to remote control the system.

...