Qakbot: A Reliable Malware of Adaptability
Category: Malware Campaign | Industry: Global | Source: Zscaler
The attack chains used by Qakbot between March-May 2023 have all utilized phishing and spam email to distribute an HTML file for HTML smuggling, a malicious PDF document, or OneNote. These documents posing as invoices or reports fetch the attacker's initial payloads, often a zip archive containing payloads like Microsoft Excel add-ins (XLL), WFS, or HTA files. Alternatively, in an attack chain with OneNote, attackers download an MSI installer disguising the payload as a Microsoft Azure installer. When the initial payload is delivered, Qakbot leverages living-off-the-land binaries (LOLBins) to execute them using various forms of stealth to ultimately download the final stage Qakbot DLL and initiate command and control (C2) communication.
Prior to Qakbot's hibernation, their attack chain adopted a notable evasion tactic that was observed from Zscaler involving the use of conhost. "In this attack chain, Qakbot takes advantage of conhost.exe as a proxy binary to bypass defensive measures. By employing conhost.exe, Qakbot attempts to outwit security counter-measures that restrict the use of typical command-line interpreters. This enables the threat actor to execute commands using various Windows utilities, creating a clever diversion," as explained by Zscaler. A review of Qakbot's C2 infrastructure found that malware activity was highest during March and April, with Germany, the United States, and Brazil being standout targets. The decline of Qakbot's activity is unknown; however, the threat actors will undoubtedly resume activity.