A brand new QBot malware marketing campaign dubbed “QakNote” has been noticed within the wild since final week, utilizing malicious Microsoft OneNote’ .one’ attachments to contaminate methods with the banking trojan.
Qbot (aka QakBot) is a former banking trojan that developed into malware that focuses on gaining preliminary entry to units, enabling menace actors to load further malware on the compromised machines and carry out data-stealing, ransomware, or different actions throughout a complete community.
OneNote attachments in phishing emails emerged final month as a brand new assault vector to interchange malicious macros in Office paperwork that Microsoft disabled in July 2022, leaving menace actors with fewer choices to execute code on targets’ units.
Threat actors can embed virtually any file sort when creating malicious OneNote paperwork, together with VBS attachments or LNK recordsdata. These are then executed when a consumer double-clicks on the embedded attachment in a OneNote Notebook.
However, it’s essential to introduce social engineering to persuade customers to click on on a selected spot to launch the embedded attachment, often accomplished with a ‘Double Click to View File’ button or another name to motion, as proven beneath.
Source: BleepingComputer
Once launched, the embedded attachments can execute instructions on the native machine to obtain and set up malware.
The QakNote marketing campaign
In the new report by Sophos, safety researcher Andrew Brandt explains that QBot’s operators have began experimenting with this new distribution methodology since January 31, 2023, utilizing OneNote recordsdata that include an embedded HTML utility (HTA file) that retrieves the QBot malware payload.
This swap in QBot’s distribution was first publicly reported by Cynet’s researcher Max Malyutin on Twitter on January 31, 2023.
A script within the HTA file will use the reputable curl.exe utility to obtain a DLL file (the Qbot malware) to the C:ProgramData folder and is then executed utilizing Rundll32.exe.
The QBot payload injects itself into the Windows Assistive Technology supervisor (“AtBroker.exe”) to hide its presence and evade detection from AV instruments operating on the machine.
Sophos studies that QBot’s operators make use of two distribution strategies for these HTA recordsdata: one which sends emails with an embedded hyperlink to the weaponized .one file and one the place the “thread injections” methodology is used.
The latter is a very tough approach the place the QBot operators hijack current electronic mail threads and ship a “reply-to-all” message to its members with a malicious OneNote Notebook file because the attachment.
To make these assaults much more misleading for the victims, the menace actors use a faux button within the Notebook file that supposedly downloads the doc from the cloud, but when clicked, it as a substitute runs the embedded HTA attachment.
While this motion will generate a warning dialog for the sufferer warning concerning the dangers of operating attachments, there’s all the time an opportunity that will probably be ignored.
As a protection in opposition to this new assault vector, Sophos means that electronic mail directors contemplate blocking all .one file extensions, as they don’t seem to be generally despatched as attachments.