Malicious documents are dead, long live malicious documents

After almost three decades of Microsoft Office macro malware being used to infect computers and a decade of it being one of the most common types of malware being distributed, Microsoft has dealt a potentially fatal blow by having all macros from downloaded files being disabled by default. That means no more message that can be clicked to simply enable the macro. Macros are completely blocked and require a great deal of user intervention to re-enable.

However, as the saying goes, "nature abhors a vacuum," and threat actors have spent years honing their social engineering playbook around document malware. Add to this the out-of-the-box thinking required to succeed in this line of work and cybercriminals’ history of trying novel approaches to evade malware detection and we get weaponized OneNote files being used to distribute Qakbot, likely the first of many new approaches to document malware.

How QuakNote malware campaign works

The campaign, dubbed QuakNote, relies on several techniques seen often in the past. First, the use of the lesser-known .one file extension can evade many email and malware scanners. This issue is compounded by OneNote not utilizing the same format as most other Microsoft Office files, which almost all typically use OLE2 or OOXML encoding. As a result, some malware scanning solutions may not be capable of even analyzing the file in the first place without modifications.

When opened, the malicious OneNote document prompts the user to click to open another file — a common tactic with both Microsoft Office as well as PDF malware. This action typically either runs an embedded script or file, or links to another piece of malware to be downloaded. In this case, an embedded HTML Application (.hta file) is run which uses JavaScript to run Windows shell commands through WshShell — a practice that has been used for at least eight years across several JavaScript-enabled file types. These scripts download the next payload, in this case Qakbot. Interestingly, though, this campaign uses curl.exe, which only comes with Windows 10 or later.

Qakbot is a bot ― software that runs on an infected system waiting for commands from a command-and-control server on what to do next. Qakbot in particular typically targets financial data and credentials, but it has been used to deploy ransomware in the past as well.

With the change to how macros are handled, this is likely one of the first of many new novel attacks to come as attackers look for strategies on par with exploiting Office macros. In addition to trying out lesser known file types, it's possible that PDF malware may increase to fill the void as well.