Geodo botnet spotted delivering Qakbot malware in new campaign

• The Geodo spam campaign allegedly targeted employees of a US government agency.
• While this campaign delivered Qakbot, some instances also showed that this spam dropped another banking trojan known as IcedID.

Threat management provider firm Cofense reported a Geodo campaign that is now seen dropping Qakbot malware onto unsuspecting systems.

As per the firm’s report, Geodo botnet directly delivers Qakbot through phishing. In addition, the campaigns seemed to have narrowed down on targeting specific users, especially US government agencies.

According to Cofense, the campaign was similar to that of Geodo’s earlier campaign. “The structure of the campaign delivering Qakbot followed the typical Geodo lifecycle: a weaponized Office document containing hostile macros delivered via a phishing campaign, except the initial payload—Qakbot— was anything but typical,” indicated the report by Cofense. One of the campaigns also had spam written in French.

The macros, if executed, will start downloading a PowerShell-based Qakbot payload. Interestingly, it also has a new feature i.e, it checks the size of the payload (only above 40KB) following which, it verifies if the file being downloaded is an EXE file.

Consequently, this is where the Qakbot gets downloaded, changes its name to ‘914.exe’ and places itself in the Temp directory of the system. When the payload starts infecting the system, it performs two other checks, anti-analysis and anti-sandbox, to disguise itself as a legitimate system operation.

Another noteworthy aspect of this Geodo campaign is its targeting. Cofense stated that Geodo was targeting employees at a US state-level government department using internal signatures, targeted addressing, and including previous threads. Therefore, the campaign might be evolving to target similar organizations around the US.