Qakbot Strikes Again: New Delivery Method Puts Millions of Devices at Risk

Discover the latest on the Qakbot malware campaigns using OneNote documents as a delivery method. Read about Qakbot’s history, capabilities, and initial infection vector.

A new wave of Qakbot campaigns has been detected using a novel delivery technique for malware distribution. Qakbot, a sophisticated and dangerous piece of malware, has been active since at least 2007 and primarily targets the theft of sensitive information from infected systems, such as login credentials and financial information. In recent years, Qakbot has been observed as a secondary payload dropped by other botnets, such as Emotet, to distribute ransomware.

Trellix Advanced Research Center has detected various campaigns that use OneNote documents to distribute Qakbot and other malware such as AsyncRAT, Icedid, and XWorm. The malware is primarily spread through phishing emails and malicious attachments, but these new campaigns have been using OneNote documents to distribute the payload.

You might also like to read:

The campaigns have been alternating between two attack vectors, with one utilizing a URL embedded in the email to download the malicious file and the other using a malicious file as an email attachment. The OneNote documents used in the campaigns contain a Call-to-Action button that, when clicked, executes the embedded payload. Victims are warned before downloading the payload, but once they click “OK,” there is no warning message, and the payload is downloaded and executed.

These campaigns have resulted in a considerable number of infections in the United States, India, Turkey, and Thailand, with the banking, financial, and wealth management sector having the highest number of infected IoCs, followed by government and outsourcing. The malware has multiple evasion techniques and sandbox detection to avoid detection and analysis.

It is important to be vigilant and cautious when receiving emails with attachments or URLs and to be aware of the potential risks involved. We urge our readers to read our other blogs on malware and cybersecurity to stay informed and protected.

Share This Message