Full Report
Deep Dive analysis of an AsyncRAT OneNote Dropper
Analysis Summary
This summary details the attack chain involving OneNote initial delivery, obfuscated scripting, and the final deployment of AsyncRAT malware, based on the provided context.
# Tool/Technique: AsyncRAT Delivered via OneNote
## Overview
This describes a payload delivery technique utilizing malicious Microsoft OneNote documents (`.one`) to trick users into executing an embedded batch file, which subsequently deploys a multi-staged PowerShell execution chain leading to the loading of the AsyncRAT remote access Trojan.
## Technical Details
- Type: Malware Delivery Chain / Malware (AsyncRAT)
- Platform: Windows
- Capabilities: Initial document execution, embedded file extraction, obfuscated PowerShell execution, memory injection/execution of a final payload.
- First Seen: Not explicitly stated, but analysis is based on a "recent" technique.
## MITRE ATT&CK Mapping
The execution flow suggests several related TTPs:
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File: OneNote document used to trick users.
- T1059.001 - Command and Scripting Interpreter: PowerShell used for decryption and execution.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information: Use of broken strings, Base64 encoding, and compiled/compressed payload.
- T1055 - Process Injection: (Implied by .NET Loader execution and subsequent payload deployment)
- T1564.001 - Hide Artifacts: Setting files to be hidden and part of system files.
- T1070.005 - Indicator Removal: Logging Evasion (ETW Unhooking).
- **TA0003 - Persistence** (Not explicitly detailed, but typical for RATs)
Note: Specific T#### mappings for AMSI/ETW bypasses fall under Defense Evasion.
## Functionality
### Core Capabilities
1. **Initial Stage (OneNote):** Hides a `.bat` file within the OneNote document, disguised as a clickable button (e.g., leading to a fake attachment prompt).
2. **Batch Script Execution:**
* Copies `powershell.exe` to the current directory as its own name but with a `.exe` extension (self-replication).
* Executes a complex, obfuscated PowerShell command.
3. **PowerShell Decryption Stage (`Loader.ps1`):**
* Reads the Batch script file (`%~f0`).
* Extracts a Base64 blob preceded by `:: `.
* Uses hardcoded AES keys/IVs (Key: `I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=`, IV: `mehcJXqMnXZUmnmrBD1Eeg==`) to decrypt the blob.
* Decompresses the resulting data using GZip.
* Reflectively loads the decrypted binary into memory using `[System.Reflection.Assembly]::Load()`.
### Advanced Features
1. **Obfuscation:** The batch file uses broken strings assigned to variables to construct commands, requiring manual assembly or parsing.
2. **Defense Evasion (via .NET Loader):** The decrypted binary (.NET Loader) performs several evasion techniques:
* **AMSI Bypass:** Disables Antimalware Scan Interface checks.
* **ETW Unhooking:** Disables Event Tracing for Windows logging specifically for `Assembly.Load` calls, attempting to hide dynamic loading.
* **VM Check:** Performs checks based on computer system information.
* **File Hiding:** Sets the executed file to be hidden and marked as a system file.
3. **Final Payload:** The execution chain results in the deployment of **AsyncRAT**.
## Indicators of Compromise
- File Hashes (Example IOCs provided):
- `Invoice.one`: b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec
- `One.bat`: 9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
- `DotNetLoader.bin`: 3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50
- `AsyncRAT.bin`: 00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f
- File Names: `Invoice.one`, `One.bat`, `DotNetLoader.bin`
- Registry Keys: Not detailed.
- Network Indicators (AsyncRAT C2 structure noted):
- Server Certificate Subject: `CN=AsyncRAT Server`
- Behavioral Indicators: PowerShell execution with `-windowstyle hidden -ep bypass -command`, reading own file content, dynamic decryption and memory loading, AMSI/ETW evasion calls.
## Associated Threat Actors
The final malware payload is **AsyncRAT**, which is used by various threat groups and sold commercially. No specific actor is named in connection with this OneNote delivery method in the context.
## Detection Methods
- Signature-based detection: Use provided file hashes.
- Behavioral detection: Monitor for PowerShell scripts that:
* Read their own file content extensively.
* Utilize reversed string functions (e.g., `('txeTllAdaeR'[-1..-11] -join '')`).
* Perform large Base64 decoding followed by GZip decompression in memory.
* Attempt calls related to memory manipulation or hooking functions associated with AMSI/ETW checks (e.g., calls targeting `amsi.dll` or `ntdll.dll` for unhooking).
- YARA rules: Can be created targeting the unique AES keys/IVs or embedded strings within the batch/PowerShell components.
## Mitigation Strategies
- **Email/Application Security:** Ensure robust filtering for suspicious file types, including OneNote attachments if possible, or restrict execution of embedded content.
- **Application Control:** Restrict execution of copied PowerShell instances in non-standard paths (like user directories).
- **Endpoint Detection and Response (EDR):** Configure detections for PowerShell execution bypassing standard policies (`-ExecutionPolicy Bypass`) when combined with file reading or network activity.
- **OS Hardening:** Implement controls to restrict writing executable files (`.exe`) in user profile directories by non-elevated processes.
- **Configuration:** Ensure AMSI is enabled and logging (ETW) is properly configured and monitored.
## Related Tools/Techniques
- **OneDump.py:** Tool used to analyze and extract embedded files from OneNote containers.
- **AsyncRAT:** The final Remote Access Trojan deployed.
- **aes (Python module):** Used in analysis to confirm decryption routine.
- **AmsiScanBufferBypass.cs / ETW Unhooking concepts:** Related defense evasion techniques utilized by the loader.