Login
“My phone’s been hacked!” Words you probably don’t want to hear or say. Ever.
Yes, a smartphone can get hacked just like any other device. And they make prize targets as well. Loaded as they are with personal and financial information, access to payment apps, files, photos, and contacts, bad actors have plenty to gain by tapping into your smartphone.
How do bad actors pull it off? They have several attack vectors they can choose from.
Today’s attackers have gotten cagier as well. It used to be that a hacked phone would run sluggishly or hot after it got infected by malware. The battery might have drained quickly as well. That was because the malware ate up system resources, created conflicts with other apps, and used your data or internet connection to pass along your personal information—all of which could make your smartphone feel a little off. That still might be the case with some mobile malware today, yet much of it works far more efficiently. The old telltale physical signs of a hacked phone might not present themselves at all.
However, you can spot several indications that might indicate your phone has been hacked.
A few examples follow. Note that these might be signs of a hacked phone, yet not always.
Install and run online protection software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again.
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone.
Lastly, check your accounts and your credit card statements to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts and getting new cards and credentials issued. Further, update your passwords for your accounts with a password that is strong and unique to prevent further theft.
To help keep your phone from getting hacked in the first place, there are a few relatively easy steps you can take. Inside of a few minutes, you can find yourself much safer than you were before.
The post How to Know If Your Phone Has Been Hacked appeared first on McAfee Blog.
As we continue to evolve technologically, so do cybercriminals in their never-ending quest to exploit vulnerabilities in our digital lives. The previous years have clearly shown that cybercriminals are increasingly leveraging new technologies and trends to trick their victims. As we move into another year, it’s crucial to be aware of the tried and tested tactics these cyber criminals use and stay prepared against potential threats.
In this article, we delve deeper into one such tactic that remains a favorite among cybercriminals – ‘phishing‘ via emails. We focus on the trickiest and most dangerous email subject lines that have been commonly used in worldwide phishing emails. Recognizing these ‘ baits’ can be your first step towards safeguarding your identity and valuables against cybercriminals. Beware, there are plenty of these ‘phishes’ in the sea, and it helps to be on your guard at all times.
Sending email messages filled with malicious links or infectious attachments remains a dominant strategy among cybercriminals. This strategy, commonly known as ‘phishing,’ is often disguised in a variety of forms. The term ‘Phishing’ is derived from the word ‘Fishing,’ and just like fishing, where bait is thrown in the hope that a fish will bite, phishing is a cyber trick where an email is the bait, and the unsuspecting user is the fish.
Today’s most common phishing scams found by McAfeerevealed that cybercriminals tend to use certain email subject lines more often. Although this does not mean that emails with other subject lines are not harmful, being aware of the most commonly used ones can give you an edge. The key takeaway here is to be vigilant and alert when it comes to all kinds of suspicious emails, not just those with specific subject lines.
Let’s take a look at the top five most commonly used subject lines in worldwide phishing emails. The list will give you an understanding of the varied strategies employed by cybercriminals. The strategies range from social networking invitations to ‘returned mail’ error messages and phony bank notifications. Be aware that these are just the tip of the iceberg and cyber criminals are continuously coming up with new and improved tactics to gain access to your sensitive data.
In the past, cybercriminals used to cast big, untargeted nets in the hopes of trapping as many victims as possible. However, recent trends indicate a shift towards more targeted and custom messages designed to ensnare more victims. A classic example of such a targeted phishing attack is the JP Morgan Chase phishing scam that took place earlier this year.
→ Dig Deeper: Mobile Bankers Beware: A New Phishing Scam Wants Your Money
The fact that phishing scams are still on the rise amplifies the importance of proactive measures to protect our digital assets. As technology advances, these threats continue to evolve, making ongoing vigilance, education, and caution in our online engagements critical in combating the increasing prevalence of such scams.
Phishing emails, often with a guise of urgency or familiarity, cunningly aim to deceive recipients into revealing sensitive information, most commonly, personal identities and financial credentials. These malicious messages are designed to prey on our trust and curiosity, making it crucial to scrutinize each email carefully. Cybercriminals behind phishing schemes are after the keys to both your digital identity and your wallet. They may seek login credentials, credit card details, social security numbers, and other sensitive data, which can lead to identity theft, financial loss, and even broader security breaches. It is essential to exercise caution and rely on best practices for email and internet security to thwart their efforts and safeguard your online presence.
While phishing emails come in a variety of forms, their ultimate goal remains the same: to steal your identity and money. As we move into the New Year, it’s prudent to add a few safety measures to your resolutions list. Protecting yourself from the increasingly sophisticated and customized phishing attacks requires more than awareness.
With an understanding of phishing techniques, the next step is learning how to protect yourself from falling prey to them. Ultimately, you are the first line of defense. If you’re vigilant, you can prevent cyber criminals from stealing your sensitive information. The following are some tips that can help you safeguard your digital life and assets:
First, avoid opening attachments or clicking on links from unknown senders. This is the primary method that cybercriminals use to install malware on your device. If you don’t recognize the sender of an email, or if something seems suspicious, don’t download the attachment or click on the link. Even if you do know the sender, be cautious if the email message seems odd or unexpected. Cybercriminals often hack into email accounts to send malicious links to the victim’s contacts.
Another important practice is to think twice before sharing personal information. If you’re asked for your name, address, banking information, password, or any other sensitive data on a website you accessed from an email, don’t supply this information, as it is likely a phishing attempt. In case of any doubts regarding the authenticity of a request for your information, contact the company directly using a phone number or web address you know to be correct.
Even with the most diligent practices, it’s still possible to fall victim to phishing attacks. Hence, having security nets in place is crucial. Start by being careful on social networks. Cybercriminals often hack into social media accounts and send out phishing links as the account owner. Even if a message appears to come from a friend, be cautious if it looks suspicious, especially if it contains only a link and no text.
Installing comprehensive security software is another essential step. McAfee LiveSafe service, for instance, offers full protection against malware and viruses on multiple devices. This software can be a lifeline if you happen to click a malicious link or download a hazardous attachment from an email.
It’s also a smart idea to regularly update your devices. Updates often contain patches for security vulnerabilities that have been discovered since the last iteration of the software. Cybercriminals are always looking for vulnerabilities to exploit, so keeping your software up-to-date is one of the most effective ways to protect yourself.
McAfee Pro Tip: Always update both your software and devices. First and foremost, software updates often include patches and fixes for vulnerabilities and weaknesses that cybercriminals can exploit. By staying up-to-date, you ensure that you have the latest defenses against evolving threats. Learn more about the importance of software updates.
Phishing attempts are a constant threat in the digital world, and their sophistication continues to evolve. Cybercriminals are relying more on tailored and targeted attacks to deceive their victims. The top five most dangerous email subject lines mentioned above are a clear indicator that criminals are becoming more nuanced in their attempts to trick victims. However, with awareness and vigilance, you can effectively avoid their traps.
Remember, your personal and financial information is valuable. Make sure to protect yourself from phishing attempts by avoiding suspicious links and attachments, thinking twice before sharing your personal information, being cautious on social media, installing comprehensive security software like McAfee+, and keeping all software up-to-date. Being prepared can make all the difference in keeping your digital life secure.
The post Top 5 Most Dangerous Email Subject Lines appeared first on McAfee Blog.
Human beings are remarkable in their resilience. Beyond our ability to build and grow civilizations, we possess a somewhat less understood but equally important characteristic – the ability to deceive ourselves. The implications of this trait are vast and diverse, sometimes manifesting in seemingly irrational behavior, such as underestimating risks in the realm of cybersecurity.
Psychology explores the distinguishing factor of mankind from the rest of the species on our planet – reason. How we perceive the world around us and how we act, whether consciously or subconsciously, is governed by our minds. However, when it comes to risk assessment, our brain often falls prey to its limitations. It’s our innate tendencies to underestimate slowly rising threats, substitute one risk for another, or fall under the illusion of control that reveal our resilience in ignoring the hard truths. This applies to today’s digital environment and our approach to cybersecurity.
These psychological tendencies significantly impact the world of cybersecurity. Employees often justify risky behaviors like clicking on unknown links or emails or dismiss their gut feeling when something feels suspicious. Cybersecurity professionals might put an overinflated trust in their own abilities to handle the next threat, rather than seeking help from a third party with potentially more experience. The slow trickle of breaches that make the headlines create an illusion that we are somehow immune to the next one, and while we stay in denial, the risk continues to mount unnoticed.
Survey data provides some alarming insights. According to McAfee’s research among American consumers, 71% of those aged 18-34 believe their data is more secure today than it was a year ago. Similarly, 65% of those aged 35-54 agree. This is in stark contrast to the rapidly growing threats in our virtual world, exemplified by the fact that ten years ago, McAfee Labs observed 25 new threats per day, whereas today we face more than 400,000 new threats per day!
→ Dig Deeper: McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges
Despite recognising the growing dangers of the cyberspace, consumers often overestimate their own capabilities to defend against such threats. This overconfidence coupled with self-deception presents an ideal opportunity for threat actors to exploit their vulnerabilities. The victims, both consumers and cybersecurity professionals alike, unknowingly advertise themselves as easy targets for the next cyber attack.
Fortunately, there is a solution to this problem. While it might be unrealistic to completely eliminate our inborn tendencies towards self-deceit, we can certainly address them through open dialogue and constructive discussions about our propensity to miscalculate risks. By doing so, we can disarm the enemies, significantly reducing their arsenal and mitigating the threats.
McAfee Pro Tip: Everything starts with self-awareness. We can only disarm these enemies–hackers, in this context–if we inform ourselves of the latest cybersecurity threats that might come our way. Find out more about the latest cybersecurity news on McAfee.
If you would like to learn more about the perceptions of cybersecurity risks, consider reading the book titled, “The Second Economy: The Race for Trust, Treasure and Time in the Cybersecurity War.” This book delves deeper into the complexities of cybersecurity, explaining in detail the intricacies of navigating the cyber threat environment and how to protect yourself effectively.
In addition, McAfee has developed a holistic strategy to transform the learning experience of cybersecurity into an informative journey. Our resources encompass a diverse collection of blogs, enlightening reports, and instructive guides. These materials have been carefully crafted to offer users a wealth of information on safeguarding your online life.
The human brain has been wired over thousands of years of evolution to protect us from threats and ensure our survival. Unfortunately, due to this “protection” mechanism, it often deceives us about the realities of risk. This deception is not intentional but a result of cognitive biases, which are ingrained predispositions that influence our judgement and decision-making.
Various cognitive biases come into play while evaluating risk. For instance, the ‘optimism bias’ leads us to believe that we are less prone to negative outcomes than others. The ‘confirmation bias’ induces us to interpret information in a way that validates our preexisting beliefs. In the cybersecurity landscape, these biases can push us towards underestimating the threats and overestimating our abilities to tackle them.
The optimism bias, for one, can make individuals and organizations overly optimistic about their cybersecurity posture. This bias may lead them to believe that they are less likely to experience a security breach than others, even when they have the same or similar vulnerabilities. This can result in underinvestment in security measures and a lack of preparedness for potential threats.
Confirmation bias, meanwhile, can lead cybersecurity professionals to selectively seek and interpret information that aligns with their preexisting beliefs about security. For example, if an organization believes that a specific security technology is the best solution, they may unconsciously filter out data that contradicts this view. This can result in the implementation of ineffective security measures and a false sense of security.
Recognizing and addressing these biases is crucial in the field of cybersecurity to ensure that risks are accurately assessed, and appropriate measures are taken to protect sensitive data and systems. Cybersecurity professionals should strive to maintain objectivity, seek diverse perspectives, and engage in ongoing risk assessment and mitigation efforts to counteract these biases.
Given how our inbuilt cognitive biases can negatively impact our risk judgments, it is critical to take efforts towards mitigating the resultant miscalculations. Firstly, we need to acknowledge that our minds are prone to deception and can mislead us in evaluating cyber threats. This involves being open to critique and willing to question our assumptions regarding cybersecurity.
Secondly, we need to foster a culture of learning and awareness around cybersecurity. Regular training programs and workshops can help individuals understand the potential threats and learn how to counteract them effectively. Cybersecurity awareness needn’t be a one-time event; it should be an ongoing process. Finally, embracing a proactive approach to cybersecurity that focuses on preventing threats rather than merely responding to them can further help in reducing the risk. This approach not only fortifies our defenses but also empowers us to adapt and thrive in an increasingly interconnected world, where the security of our information is of paramount importance.
→ Dig Deeper: See Yourself in Cyber – Five Quick Ways You Can Quickly Get Safer Online
The deception and resilience of the human mind are two sides of the same coin. While they contribute to our survival and success as a species, they can sometimes lead us astray in intricate domains like cybersecurity. Recognizing our cognitive biases and striving to overcome them can help us better assess and respond to cyber threats. With a proactive approach to cybersecurity and ongoing efforts towards raising awareness, we can make strides towards a safer virtual world.
We invite you to explore the subject further with the book, “The Second Economy: The Race for Trust, Treasure and Time in the Cybersecurity War”. It provides a comprehensive look at the complex world of cybersecurity and offers valuable insights into navigating the cyber threat environment effectively. Alternatively, you can also browse our cybersecurity resources at McAfee.
The post Cybersecurity: Miscalculating Cyber Threats appeared first on McAfee Blog.
What’s blockchain technology? The term gets bandied about often enough, but it doesn’t always get the explanation it deserves.
Understanding the basics of blockchain can help you understand several of the big changes that are taking place online. It’s the foundational technology that underpins cryptocurrency and NFTs (non-fungible tokens), yet it has several other emerging applications as well.
In all, gaining a sense of how blockchain technology works will give you a further sense as to how it may eventually shape the way you go about your day.
Blockchain technology holds great potential because of the unique, decentralized way it handles data—which marks the first step in understanding how it works.
An easy way to visualize how a blockchain works is with an old-fashioned ledger. Each ledger entry is a link in a “chain.” Within each chain is a unique identifier known as a hash and a block of data associated with it. Over time, chains get added, which updates the hash as new blocks of data are added to the chain.
A simplified example of a blockchain storing recipe instructions. The Previous Hash and Stuff (data) fields generate the Hash field. This Hash becomes part of the next record.
Yet one of the most important aspects of blockchain technology is this—it’s decentralized. Dozens, hundreds, thousands, or more participants in the blockchain track and validate the transactions associated with it.
Each blockchain entry gets validated through consensus, where individual participants on a blockchain network must all “agree” that the data in each entry is correct. Participants in the blockchain network can arrive at consensus through several models, yet commonly they use cryptographic calculations to validate an update to the chain.
In this way, blockchain technology removes the need for a central authority to oversee a transaction, such as a bank. Put simply, blockchain gets rid of the go-between. And it makes transactions more anonymous as a result.
Participants in a blockchain network receive a small amount of cryptocurrency per transaction as a reward for their efforts. Enter the notion of crypto mining, where some miners set up large-scale farms of powerful, specialized computers that participate in blockchain networks.
Blockchains come in public and private forms. Public is just as it sounds, where anyone can participate in the blockchain. They can read, write, or validate data in the blockchain. Private blockchains are invite-only in nature and can establish rules about who can alter the blockchain.
Many blockchain ledger entries record financial transactions associated with cryptocurrency. However, ledger entries can contain any type of data. One can just as easily store documents, images, log files, or other items in a blockchain. Even decentralized programs, also known as smart contracts, can be stored.
In all, there’s much more to blockchain technology than just cryptocurrency.
First and foremost, blockchain technology is at the heart of cryptocurrency. Wherever cryptocurrency is bought, spent, or exchanged, the blockchain is there to facilitate the transaction. However, we can point to several new and emerging applications as well, including:
Blockchain technology offers several benefits, yet it has its downsides as well.
Decentralization removes the need for third parties in transactions because the blockchain provides the verification and oversight for the transaction to go through. In the case of financial transactions, that removes the need for banks. In the sale of property, that removes the need for a title company.
However, if there is a conflict or issue between the parties, they have no central authority to manage its resolution. (See this story written by a BBC journalist about his quest to recover stolen crypto funds.)
Additionally, decentralization can afford parties anonymity, which can cover up illegal activities—thus making cryptocurrency is the coin of the realm for scammers and murky marketplaces on the dark web.
Blockchain technology is open, meaning that theoretically anyone with a specially equipped device can generate revenue as a miner in the blockchain economy. Yet the reality is that much of the technology is in the hands of the few. For starters, these mining devices are expensive. Secondly, it takes hundreds of these devices to mine effectively, which points to the advent of the industrial-sized mining farms mentioned above.
To put it all into perspective, one study estimated that “(t)he top 10% of [Bitcoin] miners control 90% and just 0.1% (about 50 miners) control close to 50% of mining capacity.”
Additionally, all that computing power comes at an additional cost—energy. It takes electricity to run those huge mining farms, and it takes yet more electricity to keep them cool. As a result, crypto mining can generate an outsized carbon footprint if the electricity is generated with fossil fuels.
Image and data courtesy of Digiconomist
Of note, the second-largest cryptocurrency, Ethereum has made great strides on the energy consumption front. It updated the way the cryptocurrency arrives at consensus in its blockchain and uses far less energy as a result. Estimates show that Ethereum’s carbon footprint decreased by about 99.992% from 11,016,000 to 870 metric tons of CO2.
As far as technology goes, we still live in the relatively early days of blockchain. And while much of its popular focus revolves around its role in cryptocurrencies like Bitcoin, the technology offers more than that. Of course, it remains to be seen which of its applications will take root.
Blockchain has its own barriers, though, particularly when it comes to security. Like any other connected technology, it finds itself the target of hacks and attacks. Billions of dollars in cryptocurrency have been stolen from individual users and exchanges over the years.
The security issue isn’t necessarily with the blockchain itself. That’s highly difficult to hack thanks to encryption and the decentralized nature of the blockchain. Instead, the networks they are on are subject to attack—such as interception attacks where bad actors extract information or cryptocurrency. Other attacks involve flooding the blockchain network with false identities that ultimately crash the system. And yet more exploit weaknesses in the security protocols used by platforms like cryptocurrency exchanges.
Then there’s the tried-and-true phishing attack, where scammers dupe victims into handing over their personal encryption keys. With a key, the scammer can empty digital wallets of their cryptocurrency or compromise a private blockchain network and that data in it.
Clearly, the future remains speculative as people and organizations explore the uses of blockchain technology. Without question, security will play a major role in its adoption.
Unless you’re dabbling in cryptocurrency yourself, blockchain will likely remain a behind-the-scenes technology. At least for the time being.
Yet it can still shape your day in some way. It might help bring fresher produce to your market. It might secure smart utilities and smart infrastructure in your city. And it might give your auto manufacturer a powerful tool for identifying and recalling a faulty part in your car.
Although barriers of security, energy consumption, and equity remain, it stands a good chance that blockchain technology will continue to change our lives. And understanding how it works can help you better understand those changes.
The post Blockchain Basics: What’s Blockchain Technology and How Might It Change Our Lives? appeared first on McAfee Blog.
Read this statement, then read it again: Just five distracted seconds at 55 mph is equivalent to driving the length of a football field with your eyes closed. This alarming truth from the National Highway Traffic Safety Administration (NHTSA), highlights the need for parents to address the issue of distracted driving with their teens.
Additional distracted driving statistics are mind-blowing. According to the NHSTA, 77 percent of drivers admitted to using their phones while driving, 74 percent used their map app, 56 percent read emails or texts, 27 percent updated or checked their social media accounts, and shockingly, 19 percent of drivers—equivalent to one in five—engaged in online shopping while driving.
In the United States, distracted driving has become a leading cause of fatal crashes, accounting for 25 to 30 percent of all fatal crashes. Furthermore, overall highway fatalities have increased by 22 percent, as reported recently by The Los Angeles Times, which attributed this rise to the allure of technology turning our cars into “candy stores of distraction.”
While technology plays a significant role in distracted driving, other everyday choices and factors can also contribute to accidents. Eating while driving, managing a lively pet in the car, navigating unfamiliar streets, and even talking with peer passengers can distract young drivers. Studies have shown that crash risk doubles when teens drive with one peer passenger and quadruples with three or more teen passengers.
In the throes of summer, it’s a great time for parents to have a conversation with their teen drivers about the dangers of distracted driving and texting while driving. Here are some important topics to discuss and tips to help keep your kids safe on the road:
Remember, developing good (or better) habits takes time, effort, consistency, and parental involvement in teen driving. Preventing distracted driving with positive behavior change won’t happen overnight. Repeat yourself when it comes to road safety without apologies. Giving your child rules and expectations demonstrates love. By making some of these shifts, hopefully, you will worry less, raise wiser drivers, and improve safety for everyone on the roads.
The post Parent’s Guide: 8 Ways to Help Your Teen Combat Distracted Driving appeared first on McAfee Blog.
Article tags
Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M
McAfee Labs has recently observed a new Malware campaign which used malicious OneNote documents to entice users to click on an embedded file to download and execute the Qakbot trojan.
OneNote is a Microsoft digital notebook application that can be downloaded for free. It is a note-taking app that allows collaboration across organizations while enabling users to embed files and other artifacts. It is installed by default in Microsoft Office 2021 and Microsoft 365.
Malicious Actors are always trying to find new ways in to infect their victims. Such as their shift to LNK files after Microsoft introduced a policy change disabled office macros by default. Due to a feature that allows users to attach files to OneNote documents it makes them a good alternative to LNK files as distribution vehicle to deploy their malware. This blog contains analysis on how OneNote documents are used malicious and two specific campaigns that made use of OneNote documents to download and execute the Qakbot malware.
Figure 1 shows the geo wise distribution of McAfee customers detecting malicious OneNote files.
Based on the telemetry from our endpoints we have identified the following threat families deployed through OneNote documents:
A holistic view of the phishing campaigns that weaponize OneNote document is shown in Figure 2 below. The malicious document is delivered in either zip files or ISO images to the target through phishing emails. We have observed that most of the malicious documents either have Windows batch script that invokes Powershell for dropping the malware on the system or Visual Basic scripts that does the same.
The generic theme of the email is invoice or legal related. These types of themes are more likely to be opened by the vicim. An example email body and attachment is shown in Figure 3 and 4.
To understand how the data is laid out in the file, we need to examine it at byte level. Taking a close look at OneNote document gives us an interesting observation as its magic bytes for the header is not a trivial one. Figure 5 shows the first 16 bytes of the document binary.
The first 16 bytes need to be interpreted as GUID value {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}. We can use the official documentation for OneNote specification to make sense of all the bytes and its structuring. Figure 6 shows header information taken from the OneNote specification document.
The Data Stream in OneNote, Say Hello To FileDataStoreObject
To find the embedded data in a OneNote document, we need to learn more about the FileDataStoreObject which has a GUID value of {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}. The structure that holds the data is shown below:
The FileData member of the FileDataStoreObject is the key member that holds the embedded data in the OneNote document. The size can be retrieved from the cbLength member.
Figure 7 shows the “on disk” representation of the FileDataStoreObject This is taken from a malicious OneNote document used to spread the Qakbot payload. The guidHeader for the data object is highlighted in yellow and the data is shown in red. As it is evident from the image the data represents a text file which is a script to launch PowerShell.
For more information on the OneNote specification, go to reference section
Now we have an idea of what the data object is, with this knowledge we can automate the process of extracting embedded artifacts for further analysis from the OneNote document by following the below algorithm.
Looking at the runtime characteristics of OneNote Desktop application we have observed that when an embedded file gets executed by the user, it is stored temporarily in the OneNote directory in the User’s Temp location. Each directory with GUID values represents a different document opened in the OneNote application.
By analyzing numerous malicious documents, we have been able to create a “test” OneNote document that executes a batch file that contains the “whoami” command. The image in Figure 9 show the batch file being created in the user’s temp location.
This section contains specific details on a Qakbot campaign. In campaign 1, the malware author used phishing emails to deliver malicious OneNote document either as attachment or a URL link to zip file containing the OneNote document. The OneNote contained aHTA file that once executed would make use of the curl utility to download Qakbot and then execute it.
The OneNote file with the embedded HTA file is shown in the Figure 11. Once this OneNote file is opened, it prompts the user with a fake message to double-click on open to view the attachment.
Upon clicking the Open button, it drops the HTA file with the name Open.hta to the %temp% Folder and executes it using mshta.exe.
The HTA file contains obfuscated script as shown below:
The HTA file is loaded by MSHTA and creates a registry key in HKEY_CURRENT_USER\SOFTWARE\ with obfuscated content as shown below:
De-obfuscated content from the HTA file is shown below:
Figure 18 shows the process tree of Qakbot:
| Type | Value | Product | Detected |
| Campain 1 – OneNote File | 88c24db6c7513f47496d2e4b81331af60a70cf8fb491540424d2a0be0b62f5ea | Total Protection and LiveSafe | VBS/Qakbot.a |
| Campain 1 – HTA File | e85f2b92c0c2de054af2147505320e0ce955f08a2ff411a34dce69c28b11b4e4 | Total Protection and LiveSafe | VBS/Qakbot.b |
| Campain 1 – DLL File | 15789B9b6f09ab7a498eebbe7c63b21a6a64356c20b7921e11e01cd7b1b495e3 | Total Protection and LiveSafe | Qakbot-FMZ |
The OneNote document for campaign 2 is shown in Figure 19. At first glance it it appears that there is a ‘Open’ button embedded within the document. The message above the ‘Open’ button instructs the user to “double click” in order to receive the attachment.
A closer look at the document reveals the graphical elements are all images placed in a layered style by the malicious actor. By moving the icons aside, we can see the malicious batch file which when executed downloads the payload from the Internet and executes on the target system.
Execution Of Payload Dropper
Upon execution of the batch file, Powershell will be invoked and it fetch the Qakbot payload from Internet and execute it on the target system. This section will cover details of dropper script used to deploy QakBot. The Figure 21 Show the process tree after the execution of the script and you can see that powershell.exe was launched by cmd.exe and the parent of cmd.exe is onenote.exe.
The contents of process cmd.exe (7176) are shown below.
The base64 decoded batch file is shown in Figure 23. This will use powershell to download the payload and then execute it with rundll32.exe
| Type | Value | Product | Detected |
| Campain 2 – Zip File |
000fb3799a741d80156c512c792ce09b9c4fbd8db108d63f3fdb0194c122e2a1
|
Total Protection and LiveSafe | VBS/Qakbot.a |
| Campain 2 – OneNote File | 2bbfc13c80c7c6e77478ec38d499447288adc78a2e4b3f8da6223db9e3ac2d75 | Total Protection and LiveSafe | One/Downloader.a |
| Campain 2 – Powershell File | b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424 | Total Protection and LiveSafe | PS/Agent.gs |
| Campain 2 – OneNoteFile | a870d31caea7f6925f41b581b98c35b162738034d5d86c0c27c5a8d78404e860 | Total Protection and LiveSafe | VBS/Qakbot.a |
starcomputadoras.com
Malware authors are getting more sophisticated when it comes to hiding their payloads. This Blog highlights the recent Qakbot campaign that delivers its payload which uses the OneNote application as a delivery mechanism. McAfee Customers should keep their systems up-to-date and refrain from clicking links and opening attachments in suspicious emails to stay protected.
The post The Rising Trend of OneNote Documents for Malware delivery appeared first on McAfee Blog.
FreshRSS