AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack.
Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as shown below. An ISO file is hidden inside the location of this button, and once a user clicks the Open button, an ISO file is created in a temp folder and mounted.
A CHM disguised as a README file exists inside the ISO, prompting users to open it.
Upon executing the CHM file, a normal help screen regarding network connectivity is displayed, making it difficult for the user to notice the malicious behavior.
The malicious script used without the user’s knowledge is shown below. A malicious and encoded PowerShell command is executed through CMD. This command is executed through the Click method used similarly by the existing CHM malware.
The decoded PowerShell command is shown below. The command attempts to download additional malicious files from multiple URLs and save them to the %TEMP%\antepredicamentPersecutory.tuners path. Seeing how it is executed through rundll32 afterward, it can be assumed that DLL files are downloaded.
- Download URL
hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn
hxxps://citytech-solutions[.]com/6Mh1k/OJMPf
hxxps://zainco[.]net/OdOU/9IAsdunbnH
hxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX
hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6
hxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz
hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW
hxxps://erg-eg[.]com/ocmb/xvjmmvS
This command is similar to the command used by the Qakbot that was distributed via PDF back in April. This download URL is currently unavailable, but internal and external infrastructures showed that the Qakbot binary had been distributed from the URL when a connection could be made to it.
Recently, the number of malware distribution cases using OneNote has been increasing, and threat actors have been using various formats of files for their attacks. Users must be careful when opening emails and OneNotes from unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
[File Detection]
Dropper/MSOffice.Generic (2023.04.24.03)
Downloader/CHM.Generic (2023.04.24.03)
[IOC]
dffd7026f7508ae69c1b23ebd33ed615
2ce926649092b4aa642ba6ed1fe0f191
hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn
hxxps://citytech-solutions[.]com/6Mh1k/OJMPf
hxxps://zainco[.]net/OdOU/9IAsdunbnH
hxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX
hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6
hxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz
hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW
hxxps://erg-eg[.]com/ocmb/xvjmmvS
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information