Threat actors are found to leverage Microsoft OneNote attachments to deploy a Formbook malware, dubbed Qakbot, among unsuspecting users. As discovered by Chicago-headquartered cybersecurity firm Trustwave, the Formbook malware is being spread via spam emails which carry OneNote attachments. 


Why OneNote?


As per a February 1 blog post by dark Web monitoring and cyberthreat intelligence firm Cyble, Trustwave first saw instances of the OneNote-administered malware in December 2022. As to why the choice of Microsoft’s digital notebook tool, Cyble suggested that using OneNote helps the bad actors avoid detection by antivirus apps, in turn increasing the chances of successful infections.


How does the malware infection work?


The process of infection is pretty straightforward. Once an unsuspecting user opens an attachment, it releases an embedded .hta file (executed by mstha.exe). This in turn leads to a Qakbot DLL file being downloaded, which is executed by rundll32.exe. 


How can Qakbot harm you?


As per Cyble, Quakbot is a “constantly evolving malware that can have serious consequences for its victims.” It can steal information such as usernames, passwords, and cookies from Web browsers. It can also steal emails. Quakbot also has the ability to spread to other devices within a network in order to deploy other malware families such as ransomware. 


Quakbot can be used to commit severe crimes such as financial fraud and identity theft, among others. 


How can you protect your PC?


For starters, you should avoid opening emails from unknown/unverified users. 


Cyble notes that downloading pirated software from unofficial sites can also lead to the spread of malware on your system. 


It is also a good idea to use strong passwords as well as multi-factor authentication as much as possible. A good antivirus app on PCs or phones is highly recommended.


Lastly, if you are an employer, it’s advised to enable data loss protection (DLP) solutions on your employees’ systems.