A new campaign of QBot malware known as “QakNote” has been spotted in the field since last week, using malicious Microsoft OneNote ‘.one’ attachments to infect systems with the banking trojan
The Qbot (aka QakBot) is a former banking trojan that has evolved into malware that specializes in gaining initial access to devices, allowing hackers to load additional malware onto the compromised machines and perform data theft, ransomware, or other network-wide activities.
Hackers can embed almost any file type when creating malicious OneNote documents, including VBS files or LNK files. These are then executed when a user double-clicks the embedded attachment in the OneNote notebook.
However, social engineering is needed to convince users to click on a specific point to launch the embedded attachment, usually using a ‘double-click to view file’ button.
The recommendation: that email administrators consider blocking all .one file extensions, as they are not typically sent as attachments.