A Quick Analysis of QakBot, a Decade-Old Threat

The attack chain analysis

• QakBot is mostly known for targeting its victims via spam. Since last year only it started including phishing emails with ZIP attachments (Office documents).
• The documents include macros and victims are urged to open the attachment that claimed to have important information. In some instances, emails had links to web pages spreading malware-laced documents.
• Then, it uses a DLL binary loader, communicates with the C2 server, and pushes ProLock ransomware.
• Usually, QakBot malicious activities collect information about the compromised host, creating scheduled tasks, credentials harvesting, and registry manipulation, among others.

Additional insights

• The report suggests that the malware has a list of 150 IP addresses added inside the loader binary resource. These addresses are mostly from infected systems that are used as a proxy to forward traffic to another proxy or main С2.
• Actors use multiple additional modules identified as Cookie Grabber, Hidden VNC, Email Collector, Hooking module, Pass Grabber module, Proxy module, and Web inject.

Figures of the rising threat

• The number of targeted users increased by 65% from last year and now has reached 17,316.
• In Q1 2021, 12,704 Kaspersky users were targeted, of which 8,068 users were hit in January and 4,007 were hit in February.

Conclusion