Security News > 2023 > February > New QakNote attacks push QBot malware via Microsoft OneNote files

A new QBot malware campaign dubbed "QakNote" has been observed in the wild since last week, using malicious Microsoft OneNote'.

Qbot is a former banking trojan that evolved into malware that specializes in gaining initial access to devices, enabling threat actors to load additional malware on the compromised machines and perform data-stealing, ransomware, or other activities across an entire network.

OneNote attachments in phishing emails emerged last month as a new attack vector to replace malicious macros in Office documents that Microsoft disabled in July 2022, leaving threat actors with fewer options to execute code on targets' devices.

Threat actors can embed almost any file type when creating malicious OneNote documents, including VBS attachments or LNK files.

In the new report by Sophos, security researcher Andrew Brandt explains that QBot's operators have started experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application that retrieves the QBot malware payload. This switch in QBot's distribution was first publicly reported by Cynet's researcher Max Malyutin on Twitter on January 31, 2023.

The latter is a particularly tricky technique where the QBot operators hijack existing email threads and send a "Reply-to-all" message to its participants with a malicious OneNote Notebook file as the attachment.

News URL

https://www.bleepingcomputer.com/news/security/new-qaknote-attacks-push-qbot-malware-via-microsoft-onenote-files/