Threat Actor Leveraging Microsoft OneNote To infect Users
Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.
Recently, several malware families have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.
In December, Trustwave discovered that Formbook malware was being delivered through spam emails containing OneNote attachments. Since then, various malware families, including Redline Stealer and Asyncrat, have started incorporating OneNote attachments in their spam campaigns. Cyble Research Intelligence Labs (CRIL) has also noticed that the Qakbot malware uses OneNote attachments in their campaigns.
Initial Infection
The initial infection starts with a spam email containing a OneNote attachment. When the user opens the attachment, it drops an embedded .hta file executed by mstha.exe. This results in downloading a Qakbot DLL file, which is then executed by rundll32.exe. The below figure shows the Qakbot delivery mechanism.
Technical Analysis
The spam email has a subject line “OFERTA PO# 000938883 NSS” and has a OneNote attachment Named “ ApplicationReject_68390(Jan31).one”, as shown in Figure 2.
When the user opens the OneNote attachment, it shows a fake OneNote page that appears to contain an attachment from the cloud. This page tricks the user into double-clicking to view the attachment, which initiates the Qakbot infection process.
The figure below shows the Fake OneNote Page.
After clicking the “open” button on the OneNote page, it silently drops a .hta file named “attachment.hta” in the background and executes it using mshta.exe.
The figure below shows the content of the .hta file.
The .hta file contains two JavaScript and two VBscript and performs the following operations when executed.
- First, the JavaScript gets the obfuscated data from the <div> element and stores it in a variable “content”.
- The vbscript now creates an in-string value “Name” under the registry key HKEY_CURRENT_USER\SOFTWARE\Firm\Soft and writes the obfuscated content stored in the previous step.
- Another JavaScript now reads the obfuscated content from the registry and creates an anonymous function by using replace method.
The figure below shows the anonymous function.
- This JavaScript also calls the anonymous function by passing the url “hxxp://77[.]75[.]230[.]128/19825[.]dat”as an argument to it.
- The anonymous function now creates a wscript.shell object and executes curl.exe to download “19825.dat” file from the remote server and saves to %Programdata% location as “121.png”. The “121.png” is a Qakbot DLL file that will be executed using “rundll32.exe” by JavaScript.
- After execution, the last VBscript present in the .hta file deletes the registry key “Name” and shows the fake message to the victim, as shown below.
The below figure shows the process tree of Qakbot. After executing the DLL file, it injects malicious code into “wermger.exe” to perform stealing activities.
Qakbot can steal sensitive information such as usernames, passwords, and cookies from browsers and steals emails from an infected machine. It can also spread to other devices within the network to deploy other malware families, such as ransomware.
Conclusion
Qakbot is a Prevalent and constantly evolving malware that can have serious consequences for its victims, such as financial fraud, identity theft, etc. In this case, the Qakbot malware spreads via spam emails containing OneNote attachments. Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.
Our Recommendations
- Do not open emails from unknown or unverified senders.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.
- Avoid opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could use to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 T1059 T1218 T1047 | User Execution Command and Scripting Interpreter Rundll32 Windows Management Instrumentation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Command and Control | T1071 T1095 | Application Layer Protocol Non-Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| b53bc20c9191f83e511c617ec7b8a5e05d5b77be5a1e44276f8cae761010d7d7 | Sha256 | Eml File |
| f18f10f9b74b987bf98d163bdfb7b619dcb7b39b3349ae3ccdcc5f348d6e0c75 | Sha256 | OneNote File |
| 7a51e7dec2080d22fea9edd2757b68687a7ba8c4dd1ba83ea7e68dc73539134b | Sha256 | .HTA File |
| 26b4c1b52c357b6c876c28ccbe95b86f93767142c050952c92cd774cc7dd8d37 | Sha256 | Qakbot Dll |
| hxxp://77[.]75[.]230[.]128/19825[.]dat | URL | Download URL |
