CyberSecurityBoard
Sponsor Register Login

Malicious QakNote Software Utilizing Microsoft OneNote to Spread QBot Virus

Recently, a new type of malware called QakNote has been discovered in the wild. It uses malicious Microsoft OneNote attachments to infect systems with a banking trojan. Qbot is a former banking trojan that has evolved into a type of malware that specializes in gaining access to devices, allowing threat actors to load additional malware and steal data, deploy ransomware, or carry out other malicious activities across a network. Last month, OneNote attachments in phishing emails became a new attack vector to replace malicious macros in Office documents, which Microsoft disabled in July 2022. Threat actors can embed almost any type of file, such as VBS attachments or LNK files, into malicious OneNote documents. When a user double-clicks on the embedded attachment in a OneNote Notebook, the file is executed. To convince users to click on the malicious attachment, threat actors use social engineering tactics, such as a 'Double Click to View File' button. Once launched, the embedded attachment can execute commands to download and install malware. According to a report by Sophos, QBots operators have been experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application that retrieves the QBot malware payload. The QBot payload injects itself into the Windows Assistive Technology manager to hide its presence and avoid detection from antivirus tools. Sophos reports that QBots operators use two methods to distribute these HTA files: one that sends emails with an embedded link to the weaponized OneNote file, and one that uses the Thread Injection method. This is a particularly tricky technique where the QBot operators hijack existing email threads and send a Reply-to-all message with a malicious OneNote Notebook file as an attachment. To make the attack even more deceptive, the threat actors use a fake button in the Notebook file that supposedly downloads the document from the cloud, but if clicked, it instead runs the embedded HTA attachment. As a defense against this new attack vector, Sophos suggests that email administrators consider blocking all. One file extensions, as they are not commonly sent as attachments.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 07 Feb 2023 22:21:03 +0000


Cyber News related to Malicious QakNote Software Utilizing Microsoft OneNote to Spread QBot Virus

Malicious QakNote Software Utilizing Microsoft OneNote to Spread QBot Virus - Recently, a new type of malware called QakNote has been discovered in the wild. It uses malicious Microsoft OneNote attachments to infect systems with a banking trojan. Qbot is a former banking trojan that has evolved into a type of malware that ...
2 years ago Bleepingcomputer.com
Hackers Increasingly Use Microsoft OneNote to Deliver Malware - OneNote documents are increasingly being used by threat actors to send malware to unsuspecting end users via email, according to Proofpoint researchers. It infects victims with remote access malware that can be used to install additional malware, ...
2 years ago Cybersecuritynews.com
Microsoft OneNote Attachments are Now being Used by Hackers to Spread Malware - According to researchers, hackers are now using Microsoft OneNote attachments as a way to spread malicious software. This is the latest tactic in a long line of malicious actors attempting to infiltrate computers and networks with malicious code. ...
2 years ago Bleepingcomputer.com
Microsoft OneNote Documents Increasingly Used to Spread Malware in PostMacro World - Malicious actors are continuing to find new ways to deliver malware, and the latest method is through Microsoft OneNote documents. In January 2023, over 50 campaigns were detected using this method, with notable malware families such as AsyncRAT, ...
2 years ago Thehackernews.com
Qbot Malware Via FakeUpdates Leads of Malware Attacks - Hackers use Qbot malware for its advanced capabilities, including keylogging, credential theft, and backdoor functionality. Previously distributed Qakbot malware campaign was capable of monitoring the browsing activities of the infected computer and ...
1 year ago Gbhackers.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
CVE-2015-2503 - Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 ...
6 years ago
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com Black Basta
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
11 months ago Blog.checkpoint.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
1 year ago Bleepingcomputer.com
What Is Software Piracy? - Software piracy has become a worldwide issue, with China, the United States and India being the top three offenders. In 2022, 6.2% of people worldwide visited software piracy websites. Software piracy doesn't require a hacker or skilled coder. Any ...
1 year ago Pandasecurity.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
Ta444 Turn Credential Harvesting Activity: A Comprehensive Guide - The Ta444 cyber threat group is one of the most active cybercriminals in the world, and one of their notable methods is credential harvesting. Credential harvesting is the process of stealing user’s information, such as usernames, passwords, credit ...
2 years ago Securityaffairs.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
Veeam adds BaaS capabilities for Veeam Backup for Microsoft 365 - Veeam Software has expanded its relationship with Microsoft. Veeam is making it easier for customers to protect Microsoft 365 with Cirrus by Veeam which brings the ease and flexibility of Backup-as-a-Service for Microsoft 365. Utilizing the power and ...
1 year ago Helpnetsecurity.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
10 months ago Securityboulevard.com APT29
12 Software Dev Predictions for Future - Predicting the future of software development trends is always a tough call. Such trends will also rule the future of the software development industry. Analyzing these future software development trends will put enthusiasts ahead of the competition. ...
1 year ago Feeds.dzone.com
CVE-2012-1443 - The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVirus 21, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Command Antivirus 5.2.11.5, Ikarus Virus Utilities T3 Command ...
12 years ago
CVE-2012-1459 - The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ...
7 years ago
New Research Delves Into the World of Malicious Cryptocurrency Mining - As cryptocurrency prices have soared in recent years, malicious cryptocurrency miners have increasingly targeted vulnerable computer systems with malicious crypto-mining software in search of profits. In a new research paper, security researchers at ...
2 years ago Thehackernews.com
The Crucial Need for a Secure Software Development Lifecycle in Today's Digital Landscape - In today's increasingly digital world, software is the backbone of business operations, from customer-facing applications to internal processes. The rapid growth of software development has also made organizations more vulnerable to security threats. ...
1 year ago Cyberdefensemagazine.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
2 years ago Packetstormsecurity.com Lazarus Group
New Variant of macOS Threat XCSSET Spotted in the Wild - To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware. ...
2 weeks ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)