Cyble Research Intelligence Labs (CRIL) detected a spam campaign that used the Qakbot malware, deployed via a OneNote attachment that the users were nudged to download. The Qakbot malware is capable of stealing usernames, passwords, and cookies from browsers.
The campaign involving Qakbot malware in OneNote begins by sending a malicious email dropping an embedded .hta file that is executed by mstha.exe. The subject on the email sample read “OFERTA PO# 000938883 NSS”, and the OneNote file was named “ApplicationReject_68390(Jan31).one.”
“Kindly check the attached document,” read the email, followed by a grammatically incorrect sentence, “It would be curious for you.”
The Qakbot malware in OneNote can also steal emails from the systems and spread itself to devices within the network. It can deploy ransomware as planned by the threat actor.
Technical details of the Qakbot malware in OneNote
The OneNote attachment appears to be from the cloud, which after double clicking as directed in the email, triggers the Qakbot attack. First, it drops a .hta file named ‘attachment.hta’ that executes itself using mshta.exe.
Sample of the .hta file (Image: Cyble)
There are two JavaScript and VBscript wach in the .hta file that obfuscates the target’s data from <div> element and carries it to the variable ‘content.’
The vbscript creates an in-string value in the registry key named ‘Name’. The registry key it uses is HKEY_CURRENT_USER\SOFTWARE\Firm\Soft which is used to copy in the stolen data. The JavaScript reads the data and creates an anonymous function using the replace method.
The Anonymous function started by JavaScript (Image: Cyble)
The anonymous function can also be called by sending the URL ‘http://77[.]75[.]230[.]128/19825%5B.%5Ddat’ in the form of an argument. The anonymous function starts a wscript.shell object to execute curl.exe. Thereafter, 19825.dat file gets downloaded from the remote server, which is saved as 121.png in %Programdata%
This 121.png file is the Qakbot DLL that executes itself using rundll32.exe in JavaScript. Lastly, the user is shown a fake message that reads, “This document is corrupted and could not be opened.” This message reflects after the last VBscript in the .hta file deletes the registry key ‘Name.’
CRIL researchers shared with The Cyber Express that since Qakbot is an evolving malware, and users must not open links from Torrents or Warez that could potentially be malware.
Administrators are also urged to closely watch the beacon on the network to avoid exfiltration of data. They can also opt for Data Loss Prevention (DLP) solutions to monitor the movement of data.
