company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

QBot

Phishing

Malware

loading..
loading..
loading..

QBot Malware Pushes New QakNote Campaign via Microsoft OneNote Files

A new QBot malware campaign "QakNote" is using malicious Microsoft OneNote attachments to infect systems, bypassing anti-virus tools by injecting

08-Feb-2023
3 min read

A new QakNote campaign has been discovered using malicious Microsoft OneNote attachments to infect systems with QBot malware. QBot, previously a banking trojan, has evolved into malware that specializes in gaining initial access to devices and performing data-stealing, ransomware, or other malicious activities across an entire network.

OneNote Attachments as a New Attack Vector

Threat actors have recently turned to OneNote attachments as a new attack vector after Microsoft disabled malicious macros in Office documents in July 2022. These attachments can contain almost any file type, including VBS attachments or LNK files, which can be executed when a user double-clicks on the embedded attachment in a OneNote Notebook. To successfully infect a device, the threat actors use social engineering to convince users to click on a malicious attachment, usually with a "Double Click to View File" button.

QakNote Campaign

The QBot operators have started experimenting with OneNote files as a new distribution method since January 31, 2023. These files contain an embedded HTML application (HTA file) that retrieves the QBot malware payload. The script in the HTA file downloads the QBot malware to the C:\ProgramData folder and executes it using Rundll32.exe. The payload injects itself into the Windows Assistive Technology manager to evade detection from anti-virus tools.

Two Distribution Methods

Sophos reports that QBot’s operators use two methods to distribute the HTA files: through emails with an embedded link to the weaponized .one file and through thread injections. The latter is a tricky technique where the QBot operators hijack existing email threads and send a "reply-to-all" message with a malicious OneNote Notebook file as the attachment. To make these attacks even more deceptive, the threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud, but instead, it runs the embedded HTA attachment.

Defense Against the QakNote Campaign

As a defense against this new attack vector, Sophos suggests blocking all .one file extensions, as they are not commonly sent as attachments. Although running the malicious attachment will generate a warning dialog, there is still a risk that the victim will ignore it. Stay vigilant and protect your devices by only opening attachments from trusted sources.