0ddj0bb · @0ddj0bb
858 followers · 604 posts · Server infosec.exchange
0ddj0bb · @0ddj0bb
858 followers · 604 posts · Server infosec.exchange
At 12:15pm est today you can see my analysis of the #QakNote Campaign using #OneNote to deliver #Qakbot on #Glassof0J
#qaknote #onenote #qakbot #Glassof0J #infosec #hacking #cybercrime #ioc #ioa
Zak · @Zak_Sec
19 followers · 22 posts · Server infosec.exchangeReading through the Sophos Blog on #QakNote gave some opportunity for some #regex practice:
EmailAttachmentInfo
| join EmailEvents on NetworkMessageId
| where FileName matches regex @'(?:ApplicationReject_)\d{5}.\w{5}.(?:.one)' or
FileName matches regex @'(?:ComplaintCopy_)\d{5}.\w{5}.(?:.one)'
Happy Hunting ~
https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/
Sophos X-Ops · @SophosXOps
1349 followers · 131 posts · Server infosec.exchange
#OneNote #maldoc Our coverage of this #malware campaign includes a breakdown of the attack chain, IOCs, and some other curious details. People unfamiliar with OneNote as a weaponized document format should get used to this; #QakNote #maldocs are probably here to stay. 6/6
https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/
#onenote #maldoc #malware #qaknote #maldocs
Andrew 🌻 Brandt L :verified: L 🐇 · @threatresearch
1957 followers · 694 posts · Server infosec.exchange
@SophosXOps
Our coverage of this #malware campaign includes a breakdown of the attack chain, IOCs, and some other curious details -- such as the fact that the embedded graphic elements were originally added to the document using filenames in the Russian language. "Curious," that.
People unfamiliar with OneNote as a weaponized document format should get used to this; #QakNote #maldocs are probably here to stay -- at least, until mail server admins decide to block all inbound .one attachments. 6/6