Security researchers from Zscaler Threatlabz analyzed a multi-vector campaign of the Qakbot group and found a significant increase in the spread of Qakbot malware over the past six months. Recently, the threat actors behind the malware have changed their techniques to bypass detection. They use ZIP file extensions, tempting file names with popular formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments.
Other, more subtle techniques are used by threat actors to prevent automatic detection and increase the likelihood that their attack will be successful. These include the obfuscation of code, the use of multiple URLs to transmit the payload, the use of unknown file extensions to transmit the malware and the change of the process steps by introducing new levels between the first compromise, the transmission and the final execution of the malicious code. Embedded in file attachments with common names, Qakbot uses ZIP archive file extensions to hide executable files behind them, such as Microsoft Office files, LNK and PowerShell, among others.
Qakbot, also known as QBot, QuackBot and Pinkslipbot, has been active since 2008 and is widely used as a Trojan that steals passwords. The infostealer spreads via an email-driven botnet that inserts replies into active email threads. The threat actors target bank customers and use the access they get through compromised credentials to spy on financial transactions and gain valuable information.
Infostealers like Qakbot are a monetization method that cybercriminals use to gain access to sensitive information. This category of malware plays an increasingly important role in modern ransomware scenarios, as attackers use a double blackmail mechanism to increase the success rate of their efforts. If the original ransomware payload fails its purpose because a company has an effective offline backup strategy, a double blackmail strategy can increase the pressure on a company to comply with the monetary demands. With the help of Infostealer Remote Access Trojans (RATs), confidential information is stolen from a corporate network and then threatened to publish the exfiltrated data.