Recently, a new type of malware called QakNote has been discovered in the wild. It uses malicious Microsoft OneNote attachments to infect systems with a banking trojan. Qbot is a former banking trojan that has evolved into a type of malware that specializes in gaining access to devices, allowing threat actors to load additional malware and steal data, deploy ransomware, or carry out other malicious activities across a network. Last month, OneNote attachments in phishing emails became a new attack vector to replace malicious macros in Office documents, which Microsoft disabled in July 2022. Threat actors can embed almost any type of file, such as VBS attachments or LNK files, into malicious OneNote documents. When a user double-clicks on the embedded attachment in a OneNote Notebook, the file is executed. To convince users to click on the malicious attachment, threat actors use social engineering tactics, such as a 'Double Click to View File' button. Once launched, the embedded attachment can execute commands to download and install malware. According to a report by Sophos, QBots operators have been experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application that retrieves the QBot malware payload. The QBot payload injects itself into the Windows Assistive Technology manager to hide its presence and avoid detection from antivirus tools. Sophos reports that QBots operators use two methods to distribute these HTA files: one that sends emails with an embedded link to the weaponized OneNote file, and one that uses the Thread Injection method. This is a particularly tricky technique where the QBot operators hijack existing email threads and send a Reply-to-all message with a malicious OneNote Notebook file as an attachment. To make the attack even more deceptive, the threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud, but if clicked, it instead runs the embedded HTA attachment. As a defense against this new attack vector, Sophos suggests that email administrators consider blocking all. One file extensions, as they are not commonly sent as attachments.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 07 Feb 2023 22:21:03 +0000