The QakBot botnet operators have executed a new malware campaign that utilises a new malicious payload called QakNote. This botnet has transformed from a banking trojan into a multi-purpose botnet that could perform a lateral movement, reconnaissance procedures, data exfiltration, stealing, and payload delivery.
The new campaign started in the last weeks of January when the threat actors experimented with a new malware deployment strategy via OneNote files.
The QakNote botnet could spread a OneNote attachment.
According to investigations, the QakNote botnet spreads through two spam campaigns that distribute MS OneNote attachments that contain an HTML application file.
In the first spam campaign, the actors distribute impersonal malspam with an attached link to the weaponised [.]one file. In the second attack, the actors used the threat injections tactic to hijack existing email threads and deploy a reply-to-all message to its participants with an embedded compromised OneNote notebook.
Furthermore, the botnet operators utilise a fake “Double Click to View” file button in the Notebook archive that allegedly downloads the document from the cloud. Once a target clicks the button, the hostile email will run the embedded HTA attachment that further retrieves the malware payload.
Subsequently, the embedded attachments could operate commands on the local device to download and install the Qbot malware. The researchers explained that most of the [.]hta archives include identical scripting language and instructions for the rest of the operation to follow.
The hta file script utilises the authentic curl[.]exe app to download a DLL file that contains the QBot payload to the C:\ProgramData folder, which is then executed by the operation via Roundll32[.]exe.
Lastly, the Qbot payload inserts itself into the Window Assistive Technology manager to hide its presence and bypass security detections from anti-virus tools installed on a targeted device.
Malicious threat groups have created new methods to execute their malicious codes on targeted devices after Microsoft disabled malicious macros in Office documents in July last year.
Cybersecurity experts suggest that users should take note of red flags from these attacks and avoid accessing suspicious attachments or links to prevent being victimised.
