Qakbot Distributed via OneNote and CHM

AhnLab Security Emergency response Center (ASEC) has covered various distribution methods of Qakbot, and the method of distributing through OneNote was covered back in February. The distribution of Qakbot through OneNote has been confirmed again recently, and it was discovered that the Windows Help file (CHM) was used in this recent attack.

Qakbot Being Distributed via OneNote

Upon executing the OneNote file, it prompts users to click on the Open button along with a Microsoft Azure image, as shown below. An ISO file is hidden inside the location of this button, and once a user clicks the Open button, an ISO file is created in a temp folder and mounted.

Malicious file hidden behind the Open button

A CHM disguised as a README file exists inside the ISO, prompting users to open it.

Inside the ISO file

Upon executing the CHM file, a normal help screen regarding network connectivity is displayed, making it difficult for the user to notice the malicious behavior.

Screen that appears upon executing the CHM

The malicious script used without the user’s knowledge is shown below. A malicious and encoded PowerShell command is executed through CMD. This command is executed through the Click method used similarly by the existing CHM malware.

Malicious script within the CHM

The decoded PowerShell command is shown below. The command attempts to download additional malicious files from multiple URLs and save them to the %TEMP%\antepredicamentPersecutory.tuners path. Seeing how it is executed through rundll32 afterward, it can be assumed that DLL files are downloaded.

Decoded PowerShell command
  • Download URL
    hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn
    hxxps://citytech-solutions[.]com/6Mh1k/OJMPf
    hxxps://zainco[.]net/OdOU/9IAsdunbnH
    hxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX
    hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6
    hxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz
    hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW
    hxxps://erg-eg[.]com/ocmb/xvjmmvS

This command is similar to the command used by the Qakbot that was distributed via PDF back in April. This download URL is currently unavailable, but internal and external infrastructures showed that the Qakbot binary had been distributed from the URL when a connection could be made to it.

Qakbot Being Distributed in Korea Through Email Hijacking

Recently, the number of malware distribution cases using OneNote has been increasing, and threat actors have been using various formats of files for their attacks. Users must be careful when opening emails and OneNotes from unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Dropper/MSOffice.Generic (2023.04.24.03)
Downloader/CHM.Generic (2023.04.24.03)

[IOC]
dffd7026f7508ae69c1b23ebd33ed615
2ce926649092b4aa642ba6ed1fe0f191
hxxps://nayadofoundation[.]org/wXaKm/SQ2wfto2vosn
hxxps://citytech-solutions[.]com/6Mh1k/OJMPf
hxxps://zainco[.]net/OdOU/9IAsdunbnH
hxxps://gsscorporationltd[.]com/okSfj/rAVykcQiX
hxxps://mrcrizquna[.]com/L7ccN/kz5AeBZ6
hxxps://hotellosmirtos[.]com/sjn/uhidwrQ9Hz
hxxps://carladvogadatributaria[.]com/tvnq9/i8zBwKW
hxxps://erg-eg[.]com/ocmb/xvjmmvS

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Qakbot Distributed via OneNote and CHM appeared first on ASEC BLOG.

Article Link: Qakbot Distributed via OneNote and CHM - ASEC BLOG