Qakbot, Qbot, Pinkslipbot, QuakBot - a sophisticated malware with multiple names. It has been active for well over a decade and this January researchers observed Qakbot campaigns using OneNote documents for propagating distribution. This marks Qbot as another in a series of several malware using this distribution method.
Diving into details
- The campaigns alternate between two attack vectors: a URL embedded in the email to download the malicious file and a malicious file as an email attachment.
- The OneNote documents feature a call-to-action button that, once clicked, executes the payload.
- Qakbot uses several evasion techniques including anti-debugging, anti-dynamic analysis, anti-AVs, and encrypted C2 communication.
Who are on the radar?
- Organizations operating in the banking, financial, and wealth management sectors are the most impacted, followed by those in the government and outsourcing sectors.
- The campaigns have targeted organizations in the U.S., Thailand, India, and Turkey.
Not the first OneNote-Qakbot campaign
Sophos researchers observed two parallel spam campaigns, dubbed Qaknote, disseminating malicious OneNote attachments with an HTML application embedded.
- The first campaign shared impersonal malspams with an embedded link to the malicious OneNote file.
- The second one utilized thread injection to hijack existing email threads and send a reply-to-all message to all recipients with a malicious OneNote notebook attached.
- These attachments ultimately downloaded and installed Qbot.
The bottom line
While earlier Qakbot campaigns appeared to be indiscriminate, recent ones have focused on specific sectors and researchers surmise that this targeting strategy will likely persist in future campaigns. Researchers have shared TTPs for detecting and mitigating this threat. These measures include blocking emails containing attachments with unusual extensions, avoiding malicious websites, and blocking rarely used top-level domains.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/65e8_shutterstock_1947025699.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/898e_shutterstock_2216147981.jpg)
