Ongoing Qakbot OneNote Campaign

THE THREAT

eSentire has detected a resurgence in Qakbot malware activity. The campaign was first identified on January 31st, and a notable increase in Qakbot activity was observed during the week of February 6th. Qakbot is a former banking trojan that now primarily functions as a loader for other threats including ransomware. 

In recently observed attacks, threat actors deliver malicious OneNote documents to potential victims via email as attachments. eSentire has observed Interview and Invoice themed lures to trick end-users into interacting with the malicious content (Figure 1). Organizations need to ensure that employees are aware of current email-based threats and have an escalation path in place to report potentially malicious content for review.

What we’re doing about it

• eSentire MDR for Endpoint, Machine-Learning Powered BlueSteel, and eSentire MDR for Network detect Qakbot malware and associated post-infection activity
• Known attacker infrastructure has been blocked via eSentire’s global deny list
• Based on recently identified incidents, new detections for eSentire MDR for Endpoint have been deployed
• eSentire security teams continue to track this campaign for additional details and detection opportunities

What you should do about it

• Ensure antivirus signatures are up-to-date
• Confirm endpoint detection and response technology are deployed across all endpoints
• If not required for legitimate business purposes, consider blocking OneNote attachments in email
• Train users to identify and report potentially malicious content
  • Users should specifically be aware of the threat of OneNote documents for malware delivery (See figures 1, 2, & 3 for malicious email and OneNote examples)

Additional information

OneNote for the delivery of malicious content is a growing trend amongst threat actor groups. This change is attributed to Microsoft’s decision to change the default behavior of Office applications to block macros in files from the internet. Other malware recently reported to be delivered via OneNote documents includes IcedID, Bumblebee, and QuasarRAT.

In the recently observed campaign, email was used for initial delivery of the OneNote document. The payload within OneNote attachment is a Windows Command Script (.cmd) file that contains the PowerShell command to download the Qakbot payload. The downloaded payloads are DLL (Dynamic link library) files disguised as PNG and GIF images. Lastly, RunDLL32 executes the final payload (Figure 4). eSentire is aware of external reports where the initial email includes a link leading to a OneNote download page.

The attacker objective was not identified as the incidents were remediated prior to attacker goals being actioned. eSentire did observe reconnaissance activity during post intrusion actions. Based on previously observed Qakbot activity, it is highly likely that infections would be used to enable follow on ransomware attacks.

Qakbot has been in active use since at least 2008. The eSentire Threat Intelligence team assesses that it is almost certain that Qakbot activity will continue through 2023, barring significant law-enforcement action.

Observed Reconnaissance Commands: 

• net view
• cmd /c set
• arp -a
• ipconfig /all
• net share
• route print
• netstat -nao
• net localgroup
• whoami /all

Figure 1: Phishing Email

Figure 2: Malicious OneNote document

Figure 3: Malicious OneNote document, example two

Figure 4: Qakbot Process Tree

References:
[1] https://twitter.com/Max_Mal_/status/1620423779737567236