A new QBot malware campaign "QakNote" is using malicious Microsoft OneNote attachments to infect systems, bypassing anti-virus tools by injecting
A new QakNote campaign has been discovered using malicious Microsoft OneNote attachments to infect systems with QBot malware. QBot, previously a banking trojan, has evolved into malware that specializes in gaining initial access to devices and performing data-stealing, ransomware, or other malicious activities across an entire network.
Threat actors have recently turned to OneNote attachments as a new attack vector after Microsoft disabled malicious macros in Office documents in July 2022. These attachments can contain almost any file type, including VBS attachments or LNK files, which can be executed when a user double-clicks on the embedded attachment in a OneNote Notebook. To successfully infect a device, the threat actors use social engineering to convince users to click on a malicious attachment, usually with a "Double Click to View File" button.
The QBot operators have started experimenting with OneNote files as a new distribution method since January 31, 2023. These files contain an embedded HTML application (HTA file) that retrieves the QBot malware payload. The script in the HTA file downloads the QBot malware to the C:\ProgramData folder and executes it using Rundll32.exe. The payload injects itself into the Windows Assistive Technology manager to evade detection from anti-virus tools.
Sophos reports that QBot’s operators use two methods to distribute the HTA files: through emails with an embedded link to the weaponized .one file and through thread injections. The latter is a tricky technique where the QBot operators hijack existing email threads and send a "reply-to-all" message with a malicious OneNote Notebook file as the attachment. To make these attacks even more deceptive, the threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud, but instead, it runs the embedded HTA attachment.
As a defense against this new attack vector, Sophos suggests blocking all .one file extensions, as they are not commonly sent as attachments. Although running the malicious attachment will generate a warning dialog, there is still a risk that the victim will ignore it. Stay vigilant and protect your devices by only opening attachments from trusted sources.