OneNote

Qakbot Distributed via OneNote and CHM

AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack. Qakbot Being Distributed via OneNote Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as shown below….

Emotet Being Distributed via OneNote

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. This ‘Next’ button is inserted with a malicious script named output1.js. As shown below, the…

OneNote Malware Disguised as Compensation Form (Kimsuky)

AhnLab Security Emergency response Center (ASEC) has discovered the distribution of a OneNote malware disguised as a form related to compensation. The confirmed file is impersonating the same research center as the LNK-type malware covered in the post below. Based on the identical malicious activity performed by the VBS files, the team has deduced that the same threat actor is behind both incidents. Malware Distributed Disguised as a Password File As shown in the figure below, a page discussing compensation…

Qakbot Being Distributed via OneNote

Back in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed through Microsoft (MS) OneNote. As mentioned in the report, there has recently been an increasing number of cases where commodity malware like Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware. If you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed the OneNote…