QakNote

10967301490?profile=RESIZE_400x

Qakbot was first observed in 2008.  While it was originally a banking trojan, it has evolved   over   time   to   include   gaining   access, dropping  additional malware,   and performing other data-stealing, ransomware, and malicious activities   across a network.

QakNote is the name of the new QakBot campaign.  It was first reported by Cynet researcher, Max Malyutin, on Twitter, who explained that threat actors were experimenting with a new Distribution method to replace the former use of malicious macros in Microsoft Office documents after the macros were disabled in July 2022.

Researchers at Sophos noticed two different spam campaigns.  Each one used email messages as the initial attack vector.  Threat actors could send emails containing a malicious link.  Travelling to the link would download the malicious Notebook to the machine.  From this campaign, they noticed only browsers receiving a Windows User-Agent string would get the Notebook download.  All other User-Strings would receive a 404 error.  

The other method would be to use “message thread injections.”  This is accomplished by using a botnet to inject a malicious email into an already existing email conversation; by hijacking email accounts on already infected machines and using the “Reply All” feature to send an email with the malicious attachment or a website link.  

In the second method, all attachments in the campaign were either called ApplicationReject_#####(Jan31).one or ComplaintCopy_#####(Feb01).one, with 5 randomly generated digits. Once the victim retrieved the file, they would open it to one of two screens.  From here, each one would have a button for the user to click.  Once the user clicked to 'view’ the file, a background process would launch, activating the malware.

 10967302866?profile=RESIZE_180x180

As you can see in the above image, hovering over the “Open” button references an HTML application named ‘attachment.hta.’  In the identified HTA files, most would contain an identical  scripting  language, with the primary difference being  the  URLs  they would call to retrieve the payload.  In the HTA files, the first line would be a long, obfuscated string to be decoded by the rest of the program.  Ultimately, this would pass a hardcoded URL to a CURL call, retrieving a DLL file disguised as a .png or .gif file, to the C:\ProgramData folder, then execute it, infecting the machine.

In this malware campaign, both delivery methods ask the victim to visit a link or download a file.  If you see an email with a link or file you don’t trust or aren’t expecting, it is best not to click on it.  If you happen to download the file, and a pop-up occurs warning you about the consequences of continuing, it would be best to contact the sender to ensure they were the actual sender.

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!