CrowdStrike observed eCrime adversaries shifting from macro-based delivery to OneNote attachments, embedding HTA, CMD, and JSE payloads to drop second-stage loaders. After Microsoft patched the MOTW vulnerability in ISO files (CVE-2022-41091) in November 2022, OneNote abuse surged, with groups like LUNAR SPIDER and MALLARD SPIDER leveraging OneNote builders to distribute payloads. #QakBot #LUNARSPIDER #MALLARDSPIDER #Shindig #Bumblebee #OneNote #CVE-2022-41091
Keypoints
- Microsoft blocked Excel 4.0 macros, prompting eCrime actors to pivot from macro-based delivery to alternative vectors such as ISO files with LNKs and, later, OneNote.
- MOTW vulnerability in ISO files facilitated early infections; CVE-2022-41091 patch in Nov 2022 reduced ISO-based attacks and accelerated OneNote adoption.
- OneNote documents can embed HTA, LNK, CMD, and JSE files, enabling code execution and second-stage payload delivery from attacker infrastructure.
- Initial loader activity included use of loaders popular with access brokers; high-end actors like LUNAR SPIDER and MALLARD SPIDER now use OneNote for distribution, with builders advertising malicious OneNote files.
- Attack chain typically involves spearphishing OneNote attachments, MSHTA-based execution of Open.hta, and rundll32.exe launching second-stage payloads often masquerading as PNGs.
- Embedded content is obfuscated via encoding, junk strings, variables, and multi-language scripting to hinder analysis and detection.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via spearphishing attachment. ‘Initial Access via Spearphishing Attachment (MITRE Sub-technique T1566.001)’
- [T1218.005] MSHTA – Executing HTA payloads via Microsoft HTML Application Host. ‘OneNote.exe then spawned MSHTA.exe, which attempted to execute a file named Open.hta from a temporary directory.’
- [T1105] Ingress Tool Transfer – Embedded file downloads a second-stage payload from attacker infrastructure. ‘The embedded file executes obfuscated code to download a second-stage payload from the attacker infrastructure.’
- [T1112] Modify Registry – Creates and later deletes a registry value to store deobfuscated payload data. ‘Creates a registry value in the following path: HKCUSOFTWAREcqptlzug9ob8kvyy’ and later deletes it. ‘
- [T1218.011] Rundll32 – Executes second-stage payload via rundll32.exe, masquerading as a .PNG. ‘The second-stage payload is stored on disk and executed via rundll32.exe, commonly masquerading as a .PNG file.’
- [T1059.001] PowerShell – Variants use PowerShell scripts for payload execution. ‘PowerShell scripts’ mentioned in the context of variants.
- [T1059.007] JavaScript – HTA variants leverage JavaScript within embedded scripts. ‘HTA files are executed by the Microsoft utility MSHTA.exe … capable of executing JavaScript, Jscript and VBScript.’
- [T1027] Obfuscated/Compressed Data – Content obfuscated using encoding, base64, and variable-based techniques. ‘obfuscated content within the embedded files, such as encoding, storing content and functions in variables, inserting random strings, and other forms of data manipulation.’
Indicators of Compromise
- [SHA256 Hash] DocumentsFolder_637695(Feb03).one – a28b68f86f05e14d671c1b43bbc662f8d502eb6955091c88af3750cfb4690685
- [Registry Key] HKCUSOFTWAREcqptlzug9ob8kvyy – present in JS
- [URL] QakBot staging URL – http[:]//87.236.146[.]112/80818.dat
- [SHA256 Hash] QakBot payloads – 701f9ce1be9a1eccda5834f50dec1f441da779ddf7849cc1cc82bb14b6749fba, 921768f68be2be43a13cf7ea14335ff8e558c080c35993cff86dc512d0e2649f