There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot.
Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information.
It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets.
In-Depth Discussion of the Subject
- As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email.
- Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.
- Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers.
- Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
- Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns.
According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.
- This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email. ·
- Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
- After downloading and installing Qbot through these attachments, it is now ready to use.
Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well.
TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.