Cyble – Qakbot’s Evolution Continues With New Strategies

Threat Actor Leveraging Microsoft OneNote To infect Users

Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.

Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.  

In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns.

Initial Infection

The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism.

Figure 1 Qakbot delivery mechanism 1
Figure 1: Qakbot delivery mechanism

Technical Analysis

The spam email has a subject line “OFERTA PO# 000938883 NSS” and has a OneNote attachment Named “ ApplicationReject_68390(Jan31).one”, as shown in Figure 2.

Figure 2 Initial Spam email containing OneNote file. 1
Figure 2: Initial Spam email containing OneNote file.

When the user opens the OneNote attachment, it shows a fake OneNote page that appears to contain an attachment from the cloud. This page tricks the user into double-clicking to view the attachment, which initiates the Qakbot infection process.

The figure below shows the Fake OneNote Page.

Figure 3 Fake OneNote Page 1
Figure 3: Fake OneNote Page

After clicking the “open” button on the OneNote page, it silently drops a .hta file named “attachment.hta” in the background and executes it using mshta.exe.

The figure below shows the content of the .hta file.

figure 4 source code of .hta file 1
Figure 4: Source code of the.hta file

The .hta file contains two JavaScript and two VBscript and performs the following operations when executed.

  1. First, the JavaScript gets the obfuscated data from the <div> element and stores it in a variable “content”.
  2. The vbscript now creates an in-string value “Name” under the registry key HKEY_CURRENT_USERSOFTWAREFirmSoft and writes the obfuscated content stored in the previous step.
  3. Another JavaScript now reads the obfuscated content from the registry and creates an anonymous function by using replace method.

The figure below shows the anonymous function.

Figure 5 An Anonymous function 1
Figure 5: An Anonymous function
  • This JavaScript also calls the anonymous function by passing the url “hxxp://77[.]75[.]230[.]128/19825[.]dat”as an argument to it.  
  • The anonymous function now creates a wscript.shell object and executes curl.exe to download “19825.dat” file from the remote server and saves to %Programdata% location as “121.png”. The “121.png” is a Qakbot DLL file that will be executed using “rundll32.exe” by JavaScript.
  • After execution, the last VBscript present in the .hta file deletes the registry key “Name” and shows the fake message to the victim, as shown below.
Figure 6 displays a Fake message to the victims 1
Figure 6: Displaying a Fake message to the victims

The below figure shows the process tree of Qakbot. After executing the DLL file, it injects malicious code into “wermger.exe” to perform stealing activities.

Figure 7 Qakbot Process tree. 1
Figure 7: Qakbot Process tree.

Qakbot can steal sensitive information such as usernames, passwords, and cookies from browsers and steals emails from an infected machine. It can also spread to other devices within the network to deploy other malware families, such as ransomware.

Conclusion

Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.

Our Recommendations 

  • Do not open emails from unknown or unverified senders.
  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Keep updating your passwords after certain intervals.
  • Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.  
  • Avoid opening untrusted links and email attachments without first verifying their authenticity.   
  • Block URLs that could use to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Initial Access T1566 Phishing
Execution  T1204
T1059
T1218
T1047
User Execution 
Command and Scripting Interpreter 
Rundll32 
Windows Management Instrumentation 
Defense Evasion  T1027  Obfuscated Files or Information 
Command and Control  T1071 
T1095 
Application Layer Protocol 
Non-Application Layer Protocol 

Indicators of Compromise (IOCs)

Indicators  Indicator  
Type 
Description 
b53bc20c9191f83e511c617ec7b8a5e05d5b77be5a1e44276f8cae761010d7d7 Sha256  Eml File
f18f10f9b74b987bf98d163bdfb7b619dcb7b39b3349ae3ccdcc5f348d6e0c75 Sha256  OneNote File
7a51e7dec2080d22fea9edd2757b68687a7ba8c4dd1ba83ea7e68dc73539134b Sha256  .HTA File
26b4c1b52c357b6c876c28ccbe95b86f93767142c050952c92cd774cc7dd8d37 Sha256  Qakbot Dll
hxxp://77[.]75[.]230[.]128/19825[.]dat   URL Download URL

Source: https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/