![]() Malicious file as email attachment (Figure 4): Attackers have used different attachment types to deliver the payload.In addition, they employed schemeless URLs to avoid detection, as some analysis engines are not capable of identifying and extracting these patterns. User-Agents from browsers on Mac/iOS, Linux, and Android are ignored. URL embedded in email downloads the malicious file: URL based attacks were coupled with IP address and User-Agent evasion which would only serve the malicious file if the User-Agent string comes from a Microsoft Windows computer.Attackers have been alternating between two attack vectors in different waves to achieve their goals: Based on our investigation, we believe that the tactic of leveraging OneNote documents to distribute other malware variants will continue to raise.įigure 3 Threat vectors of malicious OneNote campaignsĮmail has been the initial attack vector for the malware families abusing OneNote documents as the infection vector. We will show how we deobfuscate, unpack malicious parts and extract their configurations. ![]() Specifically, an analysis of malicious OneNote documents that led to a Qakbot loader DLL and its unpacked form. Our research presents an analysis of a new spreading vector of the Qakbot malware (Figure 3). A report from Sophos indicated that malicious actors were starting to distribute spearphishing emails with malicious Microsoft OneNote documents to infect users with variants from the Qakbot malware family. Recently, hijacked email threats have become popular for injecting their malicious email. Email has been the preferred initial attack vector for threat actors. Over the years, Qakbot has evolved with significant changes in terms of infection vectors. The sector with the highest number of infected IoCs was Banking, Financial, Wealth Management, followed by Government, and Outsourcing.įigure 2 Global heatmap of Qakbot detection over the last 3 months We have seen a considerable number of infections in the United States, India, Turkey, and Thailand, despite the fact that these campaigns do not seem to target a specific industry or country. Several outbreaks of Qakbot infections have been detected in numerous countries. Despite efforts to combat the virus over a decade, Qakbot remains a significant risk to individuals and organizations worldwide as shown in Figure 2, which illustrates a global heatmap of Qakbot detections. This timeline (Figure 1) shows the global Qakbot infection rate for the last 3 months, highlighting the continued threat of this dangerous malware distribution. It also used to be associated with TA570 which often uses the malware as an initial entry point in their campaigns.įigure 1 Qakbot infection rate for the last 3 months Qakbot has been used to drop ransomware such as Prolock, Egregor and DoppelPaymer. The malware is primarily spread through phishing emails and malicious attachments, although Qakbot has also been observed as a secondary payload, dropped by other botnets such as Emotet. Qakbot also contains multiple evasion techniques and sandbox detection. New functionalities have been added to include C2 communication to acquire additional malware modules and perform data exfiltration. ![]() It is primarily used to steal sensitive information from infected systems, such as login credentials and financial information, and can also be used to download and execute additional malware on the victim system. Qakbot has worm-like capabilities that allow it to propagate an infected network autonomously. Qakbot banking trojan is a sophisticated and dangerous piece of malware that has been active since at least 2007. Moreover, the Trellix Advanced Research Center has detected various campaigns that used OneNote documents to distribute other malware such as AsyncRAT, Icedid, XWorm etc. Since the end of January 2023, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution. Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware that has been active since at least 2007. ![]() Qakbot Evolves to OneNote Malware Distributionīy Pham Duy Phuc, Raghav Kapoor, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju
0 Comments
Leave a Reply. |