A new Qakbot malware campaign dubbed “QakNote” has been observed in the wild over the course of the last week and uses Microsoft OneNote attachments to infect systems. In this new campaign, the attackers utilize OneNote files that contain an embedded HTA file attachment that then retrieves the QakBot payload. A script in the HTA file uses curl.exe to download the payload (a DLL) to the C:ProgramData directory where it is then executed using rundll32.exe. The payload then injects itself into AtBroker.exe to evade detection. The QakBot operators employ two distribution methods for these HTA files:
- Email with an embedded link to the weaponized ONE file
- Thread injections
The latter technique is where the QBot operators hijack existing email threads and send a “reply-to-all” message to its participants with a malicious OneNote Notebook file as the attachment.
QakBot is a relatively well-known malware that specializes in gaining initial access, allowing for the loading of additional malware as well as data stealing and ransomware capabilities. The shift in the malware’s distribution follows the announcement from Microsoft in July where they disabled macros in Office documents by default. As of late, malicious OneNote attachments have been seen used in a large number of campaigns.
Analyst Notes
Since the disabling of Office macros by Microsoft, a variety of new techniques have arisen to gain remote code execution on a host, with OneNote attachments becoming one of the more prominent techniques seen. As it is rather uncommon for OneNote files to be sent through email, many researchers recommend blocking these extensions altogether. However, for organizations where that is not possible, other options are available. One potential monitoring solution would be to monitor all OneNote files that are sent through email. As this is a rather large undertaking for some organizations, another solution would be to monitor for suspicious process chains where Outlook or a browser is seen spawning OneNote, which is then seen launching an attachment. Finally, an organization could also monitor all OneNote attachment executions in the environment, tuning out those that are not malicious or are commonly seen.
https://www.bleepingcomputer.com/news/security/new-qaknote-attacks-push-qbot-malware-via-microsoft-onenote-files/
