Emotet Replaced Trickbot With QakBot Within One Day of Emergence

After a break of more than five months, like old times, Emotet had recently started distributing the same secondary malware - Trickbot. However, it seems that it has found a new partner as a secondary malware - QakBot or QBot, a worm-like strain of information-stealing malware that is active since 2007.


How things changed

Cryptolaemus researchers recently spotted Qakbot's activities, a follow-up payload for Emotet. QakBot is already known to be one of the preferred partners for Emotet, while the other being Trickbot.
  • An Emotet campaign with the id ‘partner01’ was found distributing Qakbot malware on all epochs instead of Trickbot. 
  • For the distribution, Emotet used malicious documents sent via emails.
  • Other security researchers also found some samples and confirmed that Emotet is now distributing Qakbot as secondary malware.


Not a new partnership

Emotet, TrickBot, and QakBot are all linked to the Russian-speaking hacker groups and have been interacting for a long time.
  • In March 2019 and December 2018, Emotet infection malspam campaigns were seen distributing Qakbot as a secondary payload.
  • In July 2018, threat group, Mealybug, used the Emotet malware to spread Qakbot to steal online banking credentials from Europeans.


Recent Qakbot attacks without Emotet

Qakbot has been active even in the absence of Emotet. It has self-propagating capabilities that allow hackers to spread aggressively on a network at once.
  • In June 2020, with new functions and new stealth capabilities, Qakbot campaign targeted banks like JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, FirstMerit Bank, and many other.
  • In May 2020, ProLock ransomware strain gained access to government, healthcare, financial, and retail networks via the Qakbot (Qbot) trojan.


What can be expected

It isn't the first time that a change in the delivered payload has been observed. Previously, such changes have happened and, based on that experience, security experts believe that the original duo will appear again in future attacks.