Commodity malware continues to plague businesses and the threat actors employing them are utilizing a diverse toolset of tactics, techniques, and procedures in order to proliferate the malware, such as IcedID and Qbot/Qakbot, and compromise more victims.

Qbot and IcedID are both highly modular malware used for many malicious activities such as credential harvesting, maintaining persistence in a target network, and dropping ransomware. As WaterISAC continues tracking ongoing threat activity leveraging the OneNote distribution method, security researchers at AhnLab recently observed QBot still being distrbuted via OneNote and noted the Windows Help file (CHM) was used in a recently identified attack. Threat actors behind IcedID are also continuing to exploit OneNote to infect victims. In addition, researchers at Menlo Labs observed other campaigns utilizing different distribution methods. One campaign employed HTML smuggling among threat actors to execute IcedID, with the malware being delivered to potential victims via email. Another campaign utilized malvertising to infect victims with IcedID. The last campaign masked IcedID as a ‘Thumbcache Viewer,’ if victims clicked on the program for help, the malware would be executed. Network defenders are encouraged to maintain awareness of the various threats that are being distributed via malicious OneNote files. Read more at Info-Security Magazine.

Additional WaterISAC Reporting on IcedID and/or Qakbot/Qbot:

• DHS Report on Threat Actors Exploiting OneNote to Deliver Qakbot and IcedID Malware
• Threat Awareness – Qbot Malware Propagating via Email Hijacking
• Threat Awareness - Use of Microsoft OneNote to Spread Malicious Payloads Rising
• Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain
• Qbot Displaces Emotet as Most Prevalent Malware in December 2022, New Report Finds