OneNote Files & Parallax RAT: The New Face of Cryptocurrency Exchange Attacks

The attack began with a spam email urging recipients to download a file from a Google Drive link. Upon accessing the link, a ZIP file containing a OneNote file was downloaded. The OneNote file contained obfuscated VBS files hidden behind an image, which prompted the user to click them. Running one of the VBS files led to the downloading and execution of several files, including Parallax RAT.

Upon analysis, researchers found that the OneNote file contained embedded VBS files. When decoded, a PowerShell script was revealed, which downloaded several files including a decoy PDF file, a script to configure Windows Defender exclusions, and the Parallax RAT malware.

Parallax RAT operates by creating a file for automatic execution upon device startup and executing a legitimate Windows process. It then injects malicious code into that process, saves a key log file, and communicates with a command and control (C2) server. The malware uses a legitimate Windows file process to perform its malicious activities, making it more difficult for security products to detect.

Researchers also identified additional malware and tools on the server used in the attack, including NetSupport Manager, GuLoader, and an IRC bot. Another OneNote file, seemingly used in other attacks, was also discovered. This file contained commands and passwords that the attacker likely used when uploading files to the server.