The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection.
“Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot,” Zscaler Threatlabz researchers Tarun Dewan and Aditya Sharma said.
Other methods adopted by the group include code obfuscation, introducing new layers in the attack chain from initial compromise to execution, and using multiple URLs as well as unknown file extensions (e.g., .OCX, .ooccxx, .dat, or .gyp) to deliver the payload.
Also called QBot, QuackBot, or Pinkslipbot, Qakbot has been a recurring threat since late 2007, evolving from its initial days as a banking trojan to a modular information stealer capable of deploying next-stage payloads such as ransomware.
“Qakbot is a flexible post-exploitation tool that incorporates various layers of defense evasion techniques designed to minimize detections,” Fortinet disclosed in December 2021.
“Qakbot’s modular design and infamous resiliency in the face of traditional signature-based detection make it a desirable first choice for many financially motivated groups (cyber criminals).”
The shifting tactics adopted by the malware from XLM macros in early 2022 to .LNK files in May is seen as an attempt to counter Microsoft’s plans to block Office macros by default in April 2022, a decision it has since temporarily rolled back.
In addition, further modifications include the use of PowerShell to download the DLL malware and a switch from regsvr32.exe to rundlll32.exe to load the payload, in what the researchers described as a “clear sign of Qakbot evolving to evade updated security practices and defenses.”