What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Security advisories — Feb 08, 2023

Ongoing Qakbot OneNote Campaign

2 minutes read
Speak With A Security Expert Now

THE THREAT

eSentire has detected a resurgence in Qakbot malware activity. The campaign was first identified on January 31st, and a notable increase in Qakbot activity was observed during the week of February 6th. Qakbot is a former banking trojan that now primarily functions as a loader for other threats including ransomware. 

In recently observed attacks, threat actors deliver malicious OneNote documents to potential victims via email as attachments. eSentire has observed Interview and Invoice themed lures to trick end-users into interacting with the malicious content (Figure 1). Organizations need to ensure that employees are aware of current email-based threats and have an escalation path in place to report potentially malicious content for review.

What we’re doing about it

What you should do about it

Additional information

OneNote for the delivery of malicious content is a growing trend amongst threat actor groups. This change is attributed to Microsoft’s decision to change the default behavior of Office applications to block macros in files from the internet. Other malware recently reported to be delivered via OneNote documents includes IcedID, Bumblebee, and QuasarRAT.

In the recently observed campaign, email was used for initial delivery of the OneNote document. The payload within OneNote attachment is a Windows Command Script (.cmd) file that contains the PowerShell command to download the Qakbot payload. The downloaded payloads are DLL (Dynamic link library) files disguised as PNG and GIF images. Lastly, RunDLL32 executes the final payload (Figure 4). eSentire is aware of external reports where the initial email includes a link leading to a OneNote download page.

The attacker objective was not identified as the incidents were remediated prior to attacker goals being actioned. eSentire did observe reconnaissance activity during post intrusion actions. Based on previously observed Qakbot activity, it is highly likely that infections would be used to enable follow on ransomware attacks.

Qakbot has been in active use since at least 2008. The eSentire Threat Intelligence team assesses that it is almost certain that Qakbot activity will continue through 2023, barring significant law-enforcement action.

Observed Reconnaissance Commands: 

Indicators of Compromise

107[.]178[.]108[.]59

IP Address

https[:]//shifa365[.]com/hgxU5/01[.]gif

Domain

109[.]149[.]147[.]177

IP Address

144[.]217[.]139[.]27

IP Address

https[:]//starcomputadoras[.]com/lt2eLM6/01[.]gif

Domain

148[.]163[.]69[.]171

IP Address

107[.]178[.]112[.]47

IP Address

116[.]75[.]63[.]203

IP Address

92[.]8[.]191[.]120

IP Address

https[:]//somosacce[.]org/aswyw/01[.]gif

Domain

92[.]8[.]191[.]120

IP Address

https[:]//tassoinmobiliaria[.]com/56G0/01[.]gif

Domain

107[.]178[.]108[.]59

IP Address

https[:]//shifa365[.]com/hgxU5/01[.]gif

Domain

148[.]163[.]69[.]171

IP Address

https[:]//tassoinmobiliaria[.]com/56G0/01[.]gif

Domain

107[.]178[.]102[.]96

IP Address

https[:]//khatriassociates[.]com/MBt/3[.]gif

Domain

https[:]//famille2point0[.]com/oghHO/01[.]png

Domain

Figure 1: Phishing Email

Figure 2: Malicious OneNote document

Figure 3: Malicious OneNote document, example two

Figure 4: Qakbot Process Tree

References:
[1] https://twitter.com/Max_Mal_/status/1620423779737567236

View Most Recent Blogs