Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

OneNote Spear-Phishing Campaign

Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.

In this blog, we uncover the current attack techniques with the detection of network indicators and MITRE coverage.

For details about the initial decoy document, please refer to the TWSL blog Trojanized OneNote Document Leads to Formbook Malware.


Figure 1. Initial Decoy OneNote


Malware Campaigns

The current investigation starting January 31, 2023, shows the campaign is primarily delivering Qakbot and stealers like XWorm, Icedid, and AsyncRAT. We observed different infection chains with the PowerShell download cradle, VBS downloaders and batch file executions. Below are some of the techniques observed.

PowerShell Download Cradle:

  • PowerShell download cradle -> Qbot DLL download -> Execute via Rundll32.exe -> Inject to process.


Figure 2.  PowerShell download cradle - Method 1


Figure 3. PowerShell download cradle - Method 2


Figure 4. PowerShell download cradle - Method 3


VBS Downloader/Installer:

  • exe -> VBS Downloader -> Download batch file with encrypted payload -> Drops PowerShell.exe as renamed -> PowerShell.exe decrypts and executes payload.


Figure 5. VBS Installer with PowerShell - Method 1

  • exe -> JavaScript payload execution - > VBS script execution -> PowerShell download cradle downloads and executes payload.


Figure 6. VBS Installer with PowerShell - Method 2


Analysis of Qakbot aka Qbot

SpiderLabs has observed Qakbot more than any other malware variants. As of this date, we have observed five-bot campaigns from Qakbot with 264 C2s. Below is the analysis from the Qakbot file.


Qakbot Infection Flow

As seen from the above techniques, Qakbot was delivered using multiple downloading techniques with PowerShell or MSHTA predominantly used as the initial payload delivery.


Figure 7. Qakbot Infection Chain

  1. The initial decoy OneNote document is embedded with an ‘Open.cmd’ file.
  2. Upon execution of ‘Open.cmd’, it invokes the PowerShell download cradle.
  3. The hex encoded data is then decoded and passed to the parser to download the Qbot DLL.


Figure 8. PowerShell Download Cradle Parser

  1. Once downloaded, it will get executed with Rundll32.exe with the ‘Wind’ function.
  2. The Qbot packed DLL then injects into memory of process ‘grpconv.exe’ (‘msra.exe’ in some instances), and starts networking connections to Qbot C2’s.


Figure 9. Qakbot Injected into ‘grpconv.exe’ Process.


Figure 10. Qakbot C2's Decrypted in Memory


Figure 11. Qakbot Post C2 Connections

  1. The encrypted data is stored in the registry. The key would be random and not in a readable format. The decrypted stored registry values show the Qbot campaign name and persistence created.
  • The variant of Qbot malware will have its unique BotName tag for campaign identification. As of now we have five Qbot bot tags: BB12, BB14, BB15, tok01, and Obama239.


Figure 12. Decrypted Strings from Registry Shows the Qakbot Botnet Tag ‘BB15’

  • The decrypted registry value shows the persistence to Qakbot DLL.


Figure 13. Decrypted Strings from Registry Shows the Qakbot Persistence


Decrypted Qakbot Strings from Memory

The decrypted Qakbot strings from memory show lots of their behaviors, some of which are:

  • Querying for installed security products and running debuggers.


Figure 14. Decrypted Qakbot Strings


Figure 15. Checking for Installed Security Products and Debuggers Running

  • Post infection data collected for profiling victim and sent to C2.


Figure 16. Post Infection Data Collected

  • The memory dumps show more interesting traces like campaign name, persistence, victim bot-id, and C2 requests.


Figure 17. More info - Campaign Name, Persistence, Victim BotID


XWorm and Icedid

SpiderLabs has observed the usage of OneNote decoy documents by other malware variants like XWorm and Icedid. This is because they share a similar infection pattern along with VB Script payload installers.


Figure 18. XWorm Infection Flow


Figure 19. ICEdid Infection Flow



From the above infection flow, we can frame our detection rules custom to the working security appliances, some of which are:

  • OneNote with child process ‘cmd.exe’ with command line contains ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.'
  • Multiple variants of PowerShell download cradles
  • OneNote with child process ‘wscript.exe, mshta.exe.’
  • A process events search for mshta.exe. In some cases, this will be run as a new instance.
  • The command line contains ‘Rundll32’ and ‘.cmd,.gif,.jpeg,.jpg,.pdf,.bat.’
  • Rundll32 events with DLLs run with ordinal functions ‘Wind’, ‘Updt’
  • Rundll32 events with network connections are a good indicator.
  • Rundll32 as parent process with any child (Suspected Injected Process) and having network connections.

The Rundll32 events will be noisy, but it is a good starting point for an investigation that, as a goal, is "Better safe than sorry."


MITRE Coverage



Defense Evasion

File and Directory Permissions Modification - T1222


Obfuscated Files or Information - T1027


Obfuscated Files or Information: Indicator Removal from Tools - T1027.005


Rundll32 - T1218.011


Regsvr32 - T1218.010


Deobfuscate/Decode Files or Information - T1140


Mshta - T1218.005


Process Injection - T1055


Modify Registry - T1112


File and Directory Discovery - T1083


System Information Discovery - T1082


System Location Discovery - T1614


Query Registry - T1012


Command and Scripting Interpreter - T1059


User Execution - T1204


Malicious File - T1204.002


Malicious Link - T1204.001


Windows Management Instrumentation - T1047

Initial Access

Spearphishing Attachment - T1566.001


Registry Run Keys / Startup Folder - T1547.001


Scheduled Task - T1053.005

Command and Control

Application Layer Protocol - T1071



Once an adversary has successfully gained a foothold with their initial access being a phishing email, they must establish a backdoor and persistence. There are many ways to accomplish these feats, all while evading detection. Depending on what reconnaissance informs them and the intel they gather from their target’s environment, the tools they use to employ those techniques can vary. Therefore, it is ever important to remain vigilant and continually hunt for these behaviors.

Trustwave's recent revamp of its Advanced Continual Threat Hunt (ACTH) with a new patent-pending methodology enables Trustwave to conduct threat hunts and monitor our customers as this campaign continues. ACTH is now offered as an option in Trustwave's Managed Detection and Response Services. For more information, please read Trustwave Revamps Continual Threat Hunting Enabling Significantly More Hunts and Unique Threat Findings.


IoCs for payload delivery URLs and Qakbot C2 IP Addresses are available here:

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More