Qakbot Distributed via OneNote and CHM

AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack. Qakbot Being Distributed via OneNote Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as shown below….

Qakbot Being Distributed via OneNote

Back in January, AhnLab ASEC published an analysis report on a malware strain that was being distributed through Microsoft (MS) OneNote. As mentioned in the report, there has recently been an increasing number of cases where commodity malware like Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware. If you look at the Qakbot distribution via OneNote case that happened on February 1st, the threat actor distributed the OneNote…

Qakbot Being Distributed via Virtual Disk Files (*.vhd)

There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to be Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature because when the files inside…