blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/
Submission: On June 14 via manual from PH — Scanned from DE
Submission: On June 14 via manual from PH — Scanned from DE
Form analysis
3 forms found in the DOMGET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Search for your darkweb exposure Main Menu * Home * About Us * Products * Cyble Vision * AmiBreached * Cyble Hawk * Odin (Internet Scanning) * The Cyber Express * Newsroom * Research Reports * Careers * Partner with us * Request Demo QAKBOT’S EVOLUTION CONTINUES WITH NEW STRATEGIES * February 1, 2023 THREAT ACTOR LEVERAGING MICROSOFT ONENOTE TO INFECT USERS Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims. Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner. In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns. INITIAL INFECTION The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism. Figure 1: Qakbot delivery mechanism TECHNICAL ANALYSIS The spam email has a subject line “OFERTA PO# 000938883 NSS” and has a OneNote attachment Named “ ApplicationReject_68390(Jan31).one”, as shown in Figure 2. Figure 2: Initial Spam email containing OneNote file. Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Unlock This Content When the user opens the OneNote attachment, it shows a fake OneNote page that appears to contain an attachment from the cloud. This page tricks the user into double-clicking to view the attachment, which initiates the Qakbot infection process. The figure below shows the Fake OneNote Page. Figure 3: Fake OneNote Page After clicking the “open” button on the OneNote page, it silently drops a .hta file named “attachment.hta” in the background and executes it using mshta.exe. The figure below shows the content of the .hta file. Figure 4: Source code of the.hta file The .hta file contains two JavaScript and two VBscript and performs the following operations when executed. 1. First, the JavaScript gets the obfuscated data from the <div> element and stores it in a variable “content”. 2. The vbscript now creates an in-string value “Name” under the registry key HKEY_CURRENT_USER\SOFTWARE\Firm\Soft and writes the obfuscated content stored in the previous step. 3. Another JavaScript now reads the obfuscated content from the registry and creates an anonymous function by using replace method. The figure below shows the anonymous function. Figure 5: An Anonymous function * This JavaScript also calls the anonymous function by passing the url “hxxp://77[.]75[.]230[.]128/19825[.]dat”as an argument to it. * The anonymous function now creates a wscript.shell object and executes curl.exe to download “19825.dat” file from the remote server and saves to %Programdata% location as “121.png”. The “121.png” is a Qakbot DLL file that will be executed using “rundll32.exe” by JavaScript. * After execution, the last VBscript present in the .hta file deletes the registry key “Name” and shows the fake message to the victim, as shown below. Figure 6: Displaying a Fake message to the victims The below figure shows the process tree of Qakbot. After executing the DLL file, it injects malicious code into “wermger.exe” to perform stealing activities. Figure 7: Qakbot Process tree. Qakbot can steal sensitive information such as usernames, passwords, and cookies from browsers and steals emails from an infected machine. It can also spread to other devices within the network to deploy other malware families, such as ransomware. CONCLUSION Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly. OUR RECOMMENDATIONS * Do not open emails from unknown or unverified senders. * Avoid downloading pirated software from unverified sites. * Use strong passwords and enforce multi-factor authentication wherever possible. * Keep updating your passwords after certain intervals. * Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices. * Avoid opening untrusted links and email attachments without first verifying their authenticity. * Block URLs that could use to spread the malware, e.g., Torrent/Warez. * Monitor the beacon on the network level to block data exfiltration by malware or TAs. * Enable Data Loss Prevention (DLP) Solutions on employees’ systems. MITRE ATT&CK® TECHNIQUES Tactic Technique ID Technique Name Initial AccessT1566PhishingExecution T1204 T1059 T1218 T1047User Execution Command and Scripting Interpreter Rundll32 Windows Management Instrumentation Defense Evasion T1027 Obfuscated Files or Information Command and Control T1071 T1095 Application Layer Protocol Non-Application Layer Protocol INDICATORS OF COMPROMISE (IOCS) Indicators Indicator Type Description b53bc20c9191f83e511c617ec7b8a5e05d5b77be5a1e44276f8cae761010d7d7Sha256 Eml Filef18f10f9b74b987bf98d163bdfb7b619dcb7b39b3349ae3ccdcc5f348d6e0c75Sha256 OneNote File7a51e7dec2080d22fea9edd2757b68687a7ba8c4dd1ba83ea7e68dc73539134bSha256 .HTA File26b4c1b52c357b6c876c28ccbe95b86f93767142c050952c92cd774cc7dd8d37Sha256 Qakbot Dllhxxp://77[.]75[.]230[.]128/19825[.]dat URLDownload URL RECENT BLOGS THREAT ACTOR TARGETS RUSSIAN GAMING COMMUNITY WITH WANNACRY-IMITATOR June 13, 2023 OVER 45 THOUSAND USERS FELL VICTIM TO MALICIOUS PYPI PACKAGES June 9, 2023 UNMASKING THE DARKRACE RANSOMWARE GANG June 8, 2023 PrevPreviousVector Stealer: A Gateway for RDP Hijacking NextNew BATLoader Disseminates RATs and StealersNext June 13, 2023 CRIL analyzes WannaCry-Imitator Ransomware, a phishing gaming site targeting the Russian Gaming community Read More » June 9, 2023 Through the analysis of more than 160 malicious Python packages, CRIL reveals insights into the threat landscape associated with Python packages. Read More » June 8, 2023 Cyble analyzes Darkrace, a new ransomware variant that shares similar characteristics to LockBit Ransomware. Read More » About Us Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Offices: We’re remote-friendly, with office locations around the world: San Francisco, Atlanta, Rome, Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne. UAE: Cyble Middle East FZE Suite 1702, Level 17, Boulevard Plaza Tower 1, Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, Dubai, UAE contact@cyble.com +971 (4) 4018555 USA : Cyble, Inc. 11175 Cicero Drive Suite 100 Alpharetta, GA 30022 contact@cyble.com +1 678 379 3241 India: Cyble Infosec India Private Limited A 602, Rustomjee Central Park, Andheri Kurla Road Chakala, Andheri (East), Maharashtra Mumbai-400093, India contact@cyble.com +1 678 379 3241 Australia : Cyble Pty Limited Level 32, 367 Collins Street Melbourne VIC 3000 Australia contact@cyble.com +61 3 9005 6934 Singapore: Cyble Singapore Private Limited 38 North Canal Road, Singapore 059294 contact@cyble.com +1 678 379 3241 © 2023. Cyble Inc. All Rights Reserved Twitter Linkedin Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customize your consent. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalized content profile; ● Select personalised content; ● Personalized ads, ad measurement and audience insights; ● Product development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences