Flash Notice: Beware - QakBot Group Infects Microsoft's OneNote with QakNote Malware

overview OF QAKBOT MALWARE

This week, security professionals are seeing an increase in malware campaigns impacting Microsoft’s OneNote – a note sharing component of Microsoft Teams. The group TA577 or QakBot has been distributing malware to infect systems via OneNote files since January 31, 2023. The malware campaigns have been named QakNote and they are actively making their way through various organizations.  

The researchers at Sophos observed two corresponding spam campaigns delivering malicious OneNote attachments embedded with an HTML application. One campaign involves the attackers hijacking existing email threads and sending a “reply-to-all message” to thread participants with an attached malicious OneNote Notebook. The second campaign involves the attackers sending malicious spam emails with an embedded link to a malicious .one file attachment.  

Previously, QakBot was known as a banking trojan, but it has since evolved into malware, allowing threat actors to load it on compromised devices to steal data and infect the devices with ransomware. The QakNote campaigns allow operators to embed most file types, such as VBS attachments and LNK files, when creating the malicious OneNote documents. If a target double-clicks on an embedded attachment in a OneNote Notebook, the malicious documents are executed.  

The attacker uses social engineering to convince the target of a “call to action”. One way they do this is by persuading the target to click on a fake “Double Click to View File” button, which then runs the embedded HTA attachment file and retrieves the malware payload. Usually, .one file extensions are not sent as attachments; therefore, it is highly recommended that email administrators block all .one file extensions.  

avertium's recommendations

• Avoid opening suspicious attachments of any kind – especially the following:  

• • .one file extensions.  
  • in[.]cmd 
  • open[.]cmd 
  • putty[.]jpg 

• Avoid clicking on suspicious links of any kind 

• Administrators should block all .one file extensions 

INDICATORS OF COMPROMISE (IoCs)

File Hashes

URLs 

• hxxps://a1revenue.co[.]uk/SQ.php?TSI=5  
• hxxps://gpshelpline[.]com/EAUD.php?NSII=10  
• hxxps://limpiotucompu[.]com/OSIQ.php?ELIEAOSMT=1  
• hxxps://smartvizx.com/UE.php?AISESCTISEBTUN=4  
• hxxps://babarbrotherscargo[.]com/RO.php?NI=1
• hxxps://rjll.org.pk/TUEI[.]php?CUM=3
• hxxps://isoatte[.]com/LOTV.php?NTUEDRSE=8
• myvigyan[.]com/m1YPt/300123[.]gif
• 77[.]75[.2]30[.]128/47820[.]dat
• 86[.]194[.]156[.]14:2222
• 91[.]234[.]254[.]213/55788[.]dat 
• hxxps:// jewishlabourbundarchive [.] net/ zdtK9c/01.gif 

Dropped Files 

• in[.]cmd 
• open[.]cmd 
• putty[.]jpg 

Email Attachment Filename 

• cancellation[.]one 

Important Note: Windows Defender detects the .one file as Trojan:JS/Obfuse[.]PRBF!MTB 

How Avertium is Protecting Our CUSTOMERS

• Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement. 
• Avertium offers user awareness training through KnowBe4. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks. 
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.

SUPPORTING DOCUMENTATION