loader gif

Qakbot Assembles Itself from Encrypted Halves to Evade Detection

Qakbot Assembles Itself from Encrypted Halves to Evade Detection (Malware and Vulnerabilities)

The researchers found that the new Qakbot version adds scheduled tasks to the systems it compromises which will download the malware's binary spread over multiple archives, recompose it on the compromised system, and relaunch the malware after each system restart to avoid removal. As further explained in the analysis, one of the scheduled tasks created by the malware after being dropped on an infected computer will "execute a JavaScript downloader that makes a request to one of several hijacked domains." Also, comments strings added to the JavaScript downloader suggest that the new features were added to Qakbot on March 15 further, all of these hints inferring that the new capabilities were added at the start of the newly detected malware campaign. The data in these files is decrypted with the code contained in the JavaScript downloader." The second scheduled task added by Qakbot will be used to re-assemble the decrypted data from the two downloaded .zzz files with the help of a specially-crafted batch file.

loader gif