eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
eSentire has detected a resurgence in Qakbot malware activity. The campaign was first identified on January 31st, and a notable increase in Qakbot activity was observed during the week of February 6th. Qakbot is a former banking trojan that now primarily functions as a loader for other threats including ransomware.
In recently observed attacks, threat actors deliver malicious OneNote documents to potential victims via email as attachments. eSentire has observed Interview and Invoice themed lures to trick end-users into interacting with the malicious content (Figure 1). Organizations need to ensure that employees are aware of current email-based threats and have an escalation path in place to report potentially malicious content for review.
What we’re doing about it
eSentire MDR for Endpoint, Machine-Learning Powered BlueSteel, and eSentire MDR for Network detect Qakbot malware and associated post-infection activity
Known attacker infrastructure has been blocked via eSentire’s global deny list
Based on recently identified incidents, new detections for eSentire MDR for Endpoint have been deployed
eSentire security teams continue to track this campaign for additional details and detection opportunities
What you should do about it
Ensure antivirus signatures are up-to-date
Confirm endpoint detection and response technology are deployed across all endpoints
If not required for legitimate business purposes, consider blocking OneNote attachments in email
Train users to identify and report potentially malicious content
Users should specifically be aware of the threat of OneNote documents for malware delivery (See figures 1, 2, & 3 for malicious email and OneNote examples)
Additional information
OneNote for the delivery of malicious content is a growing trend amongst threat actor groups. This change is attributed to Microsoft’s decision to change the default behavior of Office applications to block macros in files from the internet. Other malware recently reported to be delivered via OneNote documents includes IcedID, Bumblebee, and QuasarRAT.
In the recently observed campaign, email was used for initial delivery of the OneNote document. The payload within OneNote attachment is a Windows Command Script (.cmd) file that contains the PowerShell command to download the Qakbot payload. The downloaded payloads are DLL (Dynamic link library) files disguised as PNG and GIF images. Lastly, RunDLL32 executes the final payload (Figure 4). eSentire is aware of external reports where the initial email includes a link leading to a OneNote download page.
The attacker objective was not identified as the incidents were remediated prior to attacker goals being actioned. eSentire did observe reconnaissance activity during post intrusion actions. Based on previously observed Qakbot activity, it is highly likely that infections would be used to enable follow on ransomware attacks.
Qakbot has been in active use since at least 2008. The eSentire Threat Intelligence team assesses that it is almost certain that Qakbot activity will continue through 2023, barring significant law-enforcement action.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
