Qakbot operations continue to evolve to avoid detection

Experts warn that operators behind the Qakbot malware operation are improving their attack chain in an attempt to avoid detection.

Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads.

The threat continues to evolve implementing new attack vectors to evade detection, Zscaler Threatlabz researchers warn. The experts spotted a significant uptick in the spread of Qakbot malware over the past six months using several new techniques. 

“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0  to trick victims into downloading malicious attachments that install Qakbot.” reads the analysis published by Zscaler. “Other more subtle techniques are being deployed by threat actors to prevent automated detection and raise the odds that their attack will work, including obfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver the payload, and altering the steps of the process by introducing new layers between initial compromise, delivery, and final execution.”

The attacks observed by Zscaler employed malicious messages using ZIP archive file having embedded files such as Microsoft Office files, LNK, and Powershell.

ThreatLabz reported that the attackers are using various different file names to disguise attachments designed to deliver Qakbot. Common file names used in the recent campaigns include a description, generated numbers, and dates (i.e. Compensation-1172258432-Feb-16.xlsb, Compliance-Report-1634724067-Mar-22.xlsb). The files also feature common keywords for finance and business operations the attempt to trick victims into believing that they are everyday business documents.

“Once the user clicks “Enable Content” to view the attachment, the macro is activated to look for a subroutine with a pre-defined function, in this case starting with auto_open777777. In the next step of the sequence, the URLDownloadToFile function is imported and called to download  the malicious Qakbot Payload and drop it into the C:\ProgramData\ location on the victim’s machine with the filename .OCX which is actually Qakbot DLL.” continues the analysis. “Then WinAPI EXEC from Excel4Macro directly executes the malicious payload or loads the payload using regsvr32.exe.”

The experts also observed the use of PowerShell to download the malicious code and a switch from regsvr32.exe to rundlll32.exe to load the malicious payload in the attempt to evade detection.

Zscaler researchers highlight the importance of the human factor for the success of these attacks, it recommends that organizations train users to properly manage attachments, avoiding to open attachments sent from untrusted or unknown sources. The experts also recommend users to verify URLs in their browser address bar before entering credentials.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]