Researchers have uncovered a brand new cyber marketing campaign utilizing Microsoft OneNote recordsdata to contaminate units with the QBot malware (opens in new tab).
A report from Sophos claims the marketing campaign, dubbed “QakNote”, is presently energetic, with unknown menace actors sending out phishing emails with NoteBook attachments which include attachments of their very own.
These attachments will be in just about any format, and on this case, they’re an HTA file – an embedded HTML utility.
Multi-stage assaults
If activated, the applying retrieves the QBot malware payload, which the attackers can use to realize preliminary entry to focus on endpoints. Later, they’ll use that entry to deploy stage-two malware, be it infostelaers, ransomware, cryptominers, or one thing else, solely.
To activate the attachment, the victims have to double-click a selected portion of the NoteBook file.
Menace actors would normally create a pretend blurred-out report with a big “Click on Right here to View” button, tricking folks into considering the contents of the file had been “protected” for privateness causes.
Microsoft OneNote has emerged as one of many extra widespread menace vectors, following the demise of Workplace macros. In 2022, Microsoft made it unattainable to run macros in Workplace recordsdata downloaded from the web, successfully placing a cease to one of the crucial widespread assault vectors in existence. Since then, menace actors have been searching for options, and to date – two strategies are rising more and more widespread.
OneNote recordsdata with malicious attachments is among the strategies, with the second being shortcut recordsdata (.LNK) used to side-load malicious .DLLs.
Within the second technique, the attackers would ship an archive folder containing a malicious .DLL file, a reputable app such because the Home windows Calculator, and a shortcut file whose icon was modified to one thing else (for instance, a .PDF file). If the sufferer clicks the shortcut file, they’d run the applying, which might set off the malicious .DLL file.
Whichever technique the attackers go for, all of them have one factor in frequent – there must be motion from the sufferer, as they should be those to truly run the malicious code. That being mentioned, the easiest way to remain protected is to make use of frequent sense and watch out when operating recordsdata downloaded through electronic mail.
By way of: BleepingComputer (opens in new tab)