Threat Actor Leveraging Microsoft OneNote To infect Users
Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.
Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.
In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns.
The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism.
The spam email has a subject line “OFERTA PO# 000938883 NSS” and has a OneNote attachment Named “ ApplicationReject_68390(Jan31).one”, as shown in Figure 2.
When the user opens the OneNote attachment, it shows a fake OneNote page that appears to contain an attachment from the cloud. This page tricks the user into double-clicking to view the attachment, which initiates the Qakbot infection process.
The figure below shows the Fake OneNote Page.
After clicking the “open” button on the OneNote page, it silently drops a .hta file named “attachment.hta” in the background and executes it using mshta.exe.
The figure below shows the content of the .hta file.
- The vbscript now creates an in-string value “Name” under the registry key HKEY_CURRENT_USER\SOFTWARE\Firm\Soft and writes the obfuscated content stored in the previous step.
The figure below shows the anonymous function.
- After execution, the last VBscript present in the .hta file deletes the registry key “Name” and shows the fake message to the victim, as shown below.
The below figure shows the process tree of Qakbot. After executing the DLL file, it injects malicious code into “wermger.exe” to perform stealing activities.
Qakbot can steal sensitive information such as usernames, passwords, and cookies from browsers and steals emails from an infected machine. It can also spread to other devices within the network to deploy other malware families, such as ransomware.
Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.
- Do not open emails from unknown or unverified senders.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.
- Avoid opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could use to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Command and Scripting Interpreter
Windows Management Instrumentation
|Defense Evasion||T1027||Obfuscated Files or Information|
|Command and Control||T1071 |
|Application Layer Protocol |
Non-Application Layer Protocol
Indicators of Compromise (IOCs)