A phishing campaign led by the Qakbot hacker group uses the malware of the same name to spread through the email inboxes of their victims.
Sophos security researchers uncovered a phishing campaign using a malware called Qakbot. They send emails containing an attached file. The latter is a file in the format. one, which leads the recipient of the message to believe that someone they know wants to share a OneNote document. Once he clicks on the attached file, a OneNote page appears. It states: “This document contains attachments from the cloud. To receive them, double-click on Open”. If you click this button, trouble begins.
The executed HTML application will download Qakbot’s malicious code from a remote server and execute it on the victim’s computer. To go unnoticed by antivirus software, imported files pretend to be images (in png or gif format, for example). These are actually DLLs designed to execute malicious scripts and infect Windows system applications.
Qakbot inserts itself into email conversations and “reproduces” itself in this way
Sophos says, “If you’re not sure […] take the time to call or message the sender and make sure he actually sent you the document”. This is the best way to never be infected, unfortunately it is not always enough. Qakbot has the ability to insert messages in the middle of existing conversation threads. Researchers readily admit, he is very good at quoting a previous post and causing confusion with the participants.
To read – Phishing: hackers have found a new technique to trap you even better
Using OneNote files to infect Windows computers appears to be a very recent technique, since Sophos estimates that this campaign began on January 31, 2023. If the infection vector, Qakbot, is known, the company does not give more details on the nature of the abuses of the hacker group. Their malware can be used to steal user data, or to take possession of a PC to integrate it into a botnet.
Source: TechRadar