Cloud 101CircleEventsBlog

QakBot eCrime Campaign Leverages Microsoft OneNote Attachments

QakBot eCrime Campaign Leverages Microsoft OneNote Attachments

Blog Article Published: 05/10/2023

Originally published by CrowdStrike.

In November 2021[1] and February 2022[2], Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike Intelligence observed eCrime adversaries that had previously relied on macro execution for malware delivery adapt their tactics, techniques and procedures (TTPs).

Many adversaries began to use ISO files containing LNKs that then started the rest of the infection chain when executed. This trend was likely driven by a Mark-of-the-Web (MOTW) vulnerability in ISO files, which means files inside ISOs did not receive MOTW when downloaded from the internet.

In November 2022, Microsoft patched the MOTW vulnerability in ISO files (CVE-2022-41091).[3] Shortly after this change, CrowdStrike Intelligence once again began observing adversaries adapt their TTPs, and the use of ISO files began to decline (Figure 1).

Figure 1. Comparison of likely malicious ISO and OneNote files submitted to a public malware repository by month, October 2022-February 2023

Initially, this change saw adversaries move to methods such as malvertising and search engine optimization poisoning. While many adversaries continue to abuse search engines, since early January 2023, CrowdStrike Intelligence have observed a sharp rise in eCrime adversaries abusing OneNote files to deliver payloads. OneNote files can be configured to contain embedded HTA, LNK and EXE files, which is likely of high value to eCrime actors to embed and distribute malicious files.

While much of the early waves of OneNote files were used to deliver a custom loader popular with access brokers — a technique commonly used to deliver payloads such as AsyncRAT, QuasarRAT and Redline Stealer — OneNote files have now been adopted by high-end eCrime adversaries such as LUNAR SPIDER and MALLARD SPIDER. OneNote file builders, which can be used to generate malicious OneNote files on the fly, are also being advertised on criminal forums.

Overview of Observed TTPs and Characteristics

Since the start of 2023, the team has observed multiple phishing campaigns attempting to distribute OneNote documents embedded with malicious files. To achieve code execution, the OneNote attachments were initially embedded with HTML Application (.HTA) files, capable of executing JavaScript, Jscript and VBScript. Recent variants have been embedded with Windows Command (.CMD) files that are used to execute shell commands and PowerShell scripts, as well as .JSE binaries, which contain Jscript.

While exhibiting minor differences, the attack chain has been fairly consistent with each variant:

  • A OneNote document with embedded .HTA, .CMD or .JSE binary is delivered via email or downloaded via a malicious URL.
  • The document is accessed by a user, followed by execution of the embedded file.
  • The embedded file executes obfuscated code to download a second-stage payload from the attacker infrastructure.
  • The second-stage payload is stored on disk and executed via rundll32.exe, commonly masquerading as a .PNG file.

Recent variants have been leveraged to drop QakBot, which is primarily used to deliver additional payloads such as Cobalt Strike, and are often observed in conjunction with big game hunting (BGH) ransomware actors.

Threat actors have used various techniques to obfuscate the content within the embedded files, such as encoding, storing content and functions in variables, inserting random strings, and other forms of data manipulation.

Figure 2. MITRE ATT&CK® tactics and techniques observed in OneNote campaigns

Investigation and Response

Starting in early January 2023, CrowdStrike began responding to detections involving OneNote documents executing malicious .HTA files. More recently, variants of OneNote files were configured to execute .CMD and .JSE files. The following section discusses artifacts and TTPs related to each of these variants, while also diving into the triage and analysis of a malicious OneNote attachment.

Initial Detection and Triage

An initial detection was received for a OneNote.exe process spawning MSHTA.exe, identified as Initial Access via Spearphishing Attachment (MITRE Sub-technique T1566.001, as shown in Figure 3).

Figure 3. Process execution of OneNote.exe spawning MSHTA.exe

This activity originated from a OneNote document DocumentsFolder_637695(Feb03).one being executed from the Outlook Cache folder Content.Outlook:

"C:\Program Files (x86)\Microsoft Office\Office15\ONENOTE.EXE" 

OneNote.exe then spawned MSHTA.exe, which attempted to execute a file named Open.hta from a temporary directory:


.HTA files are executed by the Microsoft utility MSHTA.exe, referred to as the Microsoft HTML Application Host. The .HTA file format was developed by Microsoft for HTML applications that support scripting languages such as JavaScript, Jscript and VBScript. Because of the wide range of supported scripting languages, these files are commonly abused to achieve code execution.

Similarly, .CMD and .JSE files also support scripting languages that can be abused to achieve code execution. .CMD files are typically launched by the Windows Command Prompt (cmd.exe), while .JSE binaries are launched by Windows Scripting Interpreter (wscript.exe).

Files embedded within OneNote documents are temporarily stored and executed from the following path:

C:\Users\[Victim]\AppData\Local\Temp\OneNote\15.0\NT\0\[Embedded Binary]

Contents and Layout of DocumentsFolder_637695(Feb03).one

The CrowdStrike team acquired the .one file from the affected host for further analysis. When opened in a sandbox environment using Microsoft OneNote, the file DocumentsFolder_637695(Feb03).one displays the social engineering message “This document contains attachments from the cloud, to receive them, double click “open”” (see Figure 4).

Figure 4. Content of DocumentsFolder_637695(Feb03).one in Microsoft OneNote

Simply hovering over the “Open” button displays the embedded file that would be executed if the button were double-clicked:

Figure 5. View of embedded binary Open.hta

The “Open” button depicted in Figure 5 executes Open.hta, which was inserted from the original file path Z:\build\one\Open.hta.

In recent incidents, .CMD and .JSE binaries were embedded in OneNote documents in the same manner, using the same or similar graphics as above. When comparing multiple malicious OneNote documents, the same file name was observed for the “Open” button being used (see Figure 6).

File Name: Безымянный рисунок

Figure 6. Comparison of multiple OneNote documents using the file name Безымянный рисунок

The image name Безымянный рисунок is written in Cyrillic and translates to “Anonymous drawing.” This name is assigned to images added to OneNote documents when the language is set to Russian.

Extraction of Embedded Files

To better understand the function of the embedded .HTA file, the data streams within DocumentsFolder_637695(Feb03).one were dumped using Didler Stevens’ tool (Figure 7).