A new QBot malware campaign dubbed “QakNote” has been observed in the wild since last week, using malicious Microsoft OneNote’ .one’ attachments to infect systems with the banking trojan.
Qbot (aka QakBot) is a former banking trojan that evolved into malware that specializes in gaining initial access to devices, enabling threat actors to load additional malware on the compromised machines and perform data-stealing, ransomware, or other activities across an entire network.
OneNote attachments in phishing emails emerged last month as a new attack vector to replace malicious macros in Office documents that Microsoft disabled in July 2022, leaving threat actors with fewer options to execute code on targets’ devices.
Threat actors can embed almost any file type when creating malicious OneNote documents, including VBS attachments or LNK files. These are then executed when a user double-clicks on the embedded attachment in a OneNote Notebook.
