Philippe Lagadec

RT @pedramamini
New @InQuest blog post covering the recent rise of Microsoft OneNote as a malware carrier:

https://inquest.net/blog/2023/02/27/youve-got-malware-rise-threat-actors-using-microsoft-onenote-malicious-campaigns

We cover the timeline, campaigns, and tools. You can find downloadable samples and YARA detection logic at:

https://github.com/InQuest/malware-samples/tree/master/2023-02-OneNote

https://github.com/InQuest/yara-rules-vt/blob/main/Microsoft_OneNote_with_Suspicious_String.yar

You’ve Got Malware: The Rise of Threat Actors Using Microsoft OneNote for Malicious Campaigns

are our insights into aspects of the threat landscape and tips organizations should consider to protect users and their data.

inquest.net
Feb 28, 2023 at 6:32amWeb
Show threadTim AllisonFeb 28, 2023

@decalage Output of @apachetika is available here:

https://github.com/tballison/share/tree/main/2023-02-OneNote-tika-json

We recently made some improvements to our OneNote parser. We have a lot more to do, but let me know if any of this is useful.

The benefit of the Tika framework is that it parses files and embedded files recursively.

share/2023-02-OneNote-tika-json at main · tballison/share

Public share. Contribute to tballison/share development by creating an account on GitHub.

GitHub
Show threadTim AllisonFeb 28, 2023

@decalage @apachetika You can easily add external parsers (exiftool, etc).

Tika is not "forensics-grade", but you could certainly wrap forensics parsers so that analysts aren't running the OneNote parser on the container and then the pdf extractor on the embedded pdfs, etc...

Show threadTim AllisonFeb 28, 2023
@decalage @apachetika Looks like there may be some powershell? 🤣
Show threadTim AllisonFeb 28, 2023

@decalage @apachetika One file has a slightly more meaningful creator than "admin".

No guarantee that this isn't fabricated, but it does stand out.

Show threadhardik05Feb 28, 2023
@tallison @decalage @apachetika this is very useful. Is it possible to get original extracted files?? Like say I want to have .bat or power shell files?
Show threadTim AllisonFeb 28, 2023

@decalage @hardik05 @apachetika -z option extracts immediate children … does not work recursively… that’s on the todo list….

java -jar tika-app.x.y.jar -z mayhem.one

Show threadTim AllisonFeb 28, 2023

@apachetika @decalage @hardik05

https://issues.apache.org/jira/browse/TIKA-3703

[TIKA-3703] Consider adding a frictionless data package output format - ASF JIRA

Show threadhardik05Feb 28, 2023
@tallison @apachetika @decalage thanks, if this is done, it can be one a good tool for security researchers as they want to see all the extracted files for detection purpose(with decoded data as it does right now)