Another case entailed the OneNote attachment dropping and executing an embedded BAT file ( T1059), which launches a PowerShell script ( T1059.001) to retrieve and download from a remote location a malicious DLL containing the QakBot malware. When the user opens the attachment, it drops an embedded HTML application (.hta) file with hidden JavaScript ( T1059.007) and VBscript ( T1059.005) functions and executes mstha.exe ( T1218.005) to download the QakBot payload from a remote server ( T1071.001). The QakBot campaigns attempt to lure users into downloading and opening the OneNote attachment, then convincing them to double-click to view the file.
In early to mid-February 2023, Cyble researchers reported on several malspam campaigns containing OneNote file attachments ( T1566.001) that deliver QakBot ( S0650) or BatLoader payloads onto the victim’s systems. The below represents notable reports from December 2022 to February 2023: The main initial infection chain relied on unwitting users clicking ( T1204.001) on malicious hyperlinks ( T1566.002) to download weaponized OneNote files or malicious OneNote file attachments, further prompting users to double-click ( T1204.002) on an “Open” or “View” button. Since December 2022, multiple security vendors and security researchers observed a spike in malspam campaigns distributing different malware families that abuse Microsoft OneNote to circumvent security controls and infect users.
0 kommentar(er)
