Security News > 2023 > February > New QakNote attacks push QBot malware via Microsoft OneNote files
A new QBot malware campaign dubbed "QakNote" has been observed in the wild since last week, using malicious Microsoft OneNote'.
Qbot is a former banking trojan that evolved into malware that specializes in gaining initial access to devices, enabling threat actors to load additional malware on the compromised machines and perform data-stealing, ransomware, or other activities across an entire network.
OneNote attachments in phishing emails emerged last month as a new attack vector to replace malicious macros in Office documents that Microsoft disabled in July 2022, leaving threat actors with fewer options to execute code on targets' devices.
Threat actors can embed almost any file type when creating malicious OneNote documents, including VBS attachments or LNK files.
In the new report by Sophos, security researcher Andrew Brandt explains that QBot's operators have started experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application that retrieves the QBot malware payload. This switch in QBot's distribution was first publicly reported by Cynet's researcher Max Malyutin on Twitter on January 31, 2023.
The latter is a particularly tricky technique where the QBot operators hijack existing email threads and send a "Reply-to-all" message to its participants with a malicious OneNote Notebook file as the attachment.
News URL
Related news
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT (source)
- From Deepfakes to Malware: AI's Expanding Role in Cyber Attacks (source)
- New BunnyLoader Malware Variant Surfaces with Modular Attack Features (source)
- Over 100 US and EU orgs targeted in StrelaStealer malware attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- The Biggest Takeaways from Recent Malware Attacks (source)