Nuspire Threat Analysis: Qakbot Spam Campaign Leveraging Microsoft OneNote

For the past few weeks, Nuspire’s Threat Intelligence team has monitored multiple spam campaigns spreading the Qakbot malware. Qakbot is a constantly evolving malware that specializes in gaining initial access to devices allowing threat actors to either sell access to different malware groups or load additional malware to carry out further malicious activity. We covered Qakbot in a previous blog on Black Basta ransomware group.  

Although phishing is not a new attack vector, the recent announcement from Microsoft regarding disabling VBA macros by default has forced threat actors to devise new tactics. One of those tactics involves creating malicious OneNote documents that allow adversaries to embed almost any file type. Read on for our analysis on how this works.  

Initial Access

Typically delivered via spam emails imitating a legitimate company like DHL and including shipping information to socially engineer the user into downloading and executing the malware. Another common tactic is email message thread injection, where all users on an existing communication chain receive a reply to all with an attached malicious .one notebook.

Figure 1: Malicious OneNote file opened from spam email. Clicking the “Open” button presents a popup and if allowed, the malware will execute.

Execution

Once the malware has been allowed to run, the threat actors utilize a plethora of techniques to avoid detection, specifically Windows’ built-in tools and commands. During the weeks Nuspire Threat Intelligence monitored this phase of the attack, we saw a shift in tactics multiple times, with more expected on the way.

The file contains the following PowerShell-encoded commands:

Figure 2: Contents of “open.cmd” reveal Base64 Encoded PowerShell commands. 

Threat actors commonly use LOLBins (Living Off the Land Binaries) such as PowerShell and encode the commands with Base64 to avoid detection and attempt to bypass AV/EDR in the victim environment. The decoded value is shown in cleartext below and tells PowerShell to contact the URL, download the .gif payload and output it to the “C:\ProgramData” directory with the name “putty.jpg.” 

Figure 3: Decoded Base64 PowerShell Commands. 

In addition to this tactic, we also saw the threat actors leverage a different PowerShell web request command known as a download cradle, as shown below.  

Figure 4: Base64 Encoded PowerShell Download cradle technique. 

This command also utilizes Base64 encoding, as well as sets variables to randomly generated values as another method to evade detection. 

Figure 5: Decoded PowerShell Download cradle technique. 

Before the PowerShell commands were able to execute successfully, Nuspire’s custom EDR rules were able to kill and contain the attack before any additional payloads were downloaded.  Through further research in Nuspire’s lab environment, the attack continues once the payload has been downloaded from the malicious host.  

Following the naming convention and directories above, the payload is output to the “C:\ProgramData” directory and named “putty.jpg.” Although the extension “.jpg” typically refers to a compressed image format, we can see in the encoded PowerShell command that the threat actor plans to call on this file using the Windows utility “Rundll32.exe.” Rundll32 is used to load dynamic link libraries (DLLs) in Windows, although it can also be used by adversaries for the proxy execution of arbitrary malicious code, as seen here.  

Command and Control (C2)

Once the Qakbot DLL has been successfully loaded into memory via Rundll32, another evasion technique is used to inject into a legitimate windows process before carrying out command and control communications. This process is typically “wermgr.exe.” 

Figure 6: Rundll32 Qakbot injecting into wermgr.exe for C2 Communications.

The usual command and control communications consist of Qakbot checking its internet connectivity via ping or GET requests to a legitimate URL like msn.com. Once a connection is confirmed, a series of POST requests are sent to the C2 servers with data about the infected device. 

At this point, the Qakbot operators can determine if they want to drop additional malware, such as Cobalt Strike, to move laterally through the environment or sell the initial access to a different group, which may result in the deployment of ransomware. 

Recommendations

While the methods are changing, threat actors’ core tactics remain. Organizations should perform the following the help protect their environment from OneNote-based attacks: 

• Continue to provide cybersecurity awareness training with a focus on phishing. Inform users to still be cautious around Word and Excel files, but especially to be cautious around OneNote files. 
• Pay attention to warning popups, such as shown in Figure 1. These shouldn’t be disregarded. 
• If OneNote is not used within your environment, consider blocking .one files at your email firewall to help prevent them from reaching end users. 

Identified Indicators of Compromise

These are the indicators of compromise Nuspire’s Threat Intelligence Team was able to extract during its analysis. These can be used to identify malicious activity in other environments.  

Indicators of Compromise

URLs: 

https[:]//somosace[.]org/aswyw/01.gif  

https[:]//shifa365[.]com/hgxU5/01.gif  

https[:]//nerulgymkhana[.]com/CCoN/01.gif 

https[:]//starcomputadoras[.]com/lt2eLM6/01.gif 

http[:]//216.146.25[.]57/11747.dat 

http[:]//5.42.221[.]117/41067.dat 

Command and Control:

50.68.186[.]195:443 

69.242.31[.]249:443  

88.126.112[.]14:50000  

73.161.176[.]218:443  

87.149.176[.]97:443  

92.154.45[.]81:2222  

50.68.204[.]71:443  

86.195.14[.]72:2222  

136.244.25[.]165:443  

75.143.236[.]149:443