Qakbot appears to be back online after the network destruction in the Operation Duck Hunt. Microsoft Threat Intelligence team reports about a new, low-volume email spam campaign that spreads the infamous malware.
QakBot Comeback – Is It Real?
On December 16, 2023, the Microsoft Threat Intelligence team shared part of their observations on X. It appears that a new email spam campaign, started on December 11, spreads a good-old QakBot. Hackers disguised the message as a notification from the IRS employee and attached a PDF file to it. The quality of a spam email inspires confidence, so victims gladly move on to the further stages of a scam.
The attached PDF is, in fact, a point of malware injection. Instead of an expected document, the victim sees a page that reports a preview error and asks to download and install Adobe Acrobat. The link offered for downloading Acrobat leads to the downloading page that shares a signed .msi file. This file, as you could already have guessed, is a malware body.
Trivia uncovered by Microsoft researchers say clearly that it is not a reuse of an old QakBot sample, but a completely new generation. Both the campaign name, version number and the timestamp on the sample point at the fact that it is all about a new round of QakBot.
What is QakBot?
For over a decade, QakBot a.k.a QBot remained a severe hazard for both single users and companies. Emerged in 2007, it was originally categorized as a worm/banking trojan. With time though it received extensive updates that made it more capable in the initial purpose, and added some new features. The one in particular – loader functionality – is what dramatically changed this malware’s future.
Ever since it gained the ability to deliver payloads, QakBot has become a beloved tool for initial access and malware delivery in numerous attacks. Its use in the attacks of Russian state-sponsored hackers also explains its sustainability and impertinence. But all streaks are made to be broken – and the FBI have shown exactly this in late August 2023. By taking down the entire botnet, except for Tier 1 C2 servers, law enforcement jammed the QBot activity for 4 months. Until now, it seems.
How to protect against QakBot?
As I’ve shown above, the main way this malware spreads through is email spam. It was the main option before the takedown and remains up to date. There is tons of advice on avoiding malicious emails, but let me share a couple of specific ones for targeted spam the QakBot usually uses.
Avoid files you have not expected to receive. The main thing hackers rely on is people’s lack of attention to detail. Do you expect someone from the IRS to contact you with the “client’s information”? Are you waiting for a colleague to send you a strange table from the wrong email address? Question yourself each time you face something like this – and the chances of infection will go down dramatically.
Never interact with contents of unknown files. This is the continuation of a previous advice, though it works with files from any source. MS Office files that offer to allow macros, PDFs with links that lead to malware downloading – there are plenty of options. When you are not sure whether the file is benign or not, avoid clicking any interactive content – both in it and related to it.
Employ email protection solutions. Extensive use of email messages for malware spreading gave birth to an entire class of security solutions, that specialize in securing email inboxes. By scanning the message properties, attachments, or even text body, they conclude and say whether it is safe to work with the file.
Use reliable anti-malware software. This solution is reactive, contrary to the proactive ones I’ve named above, though should still serve as a goalkeeper. When all other systems fail, something should protect you. QakBot is not magical, so a well-done anti-malware engine should detect it right away. Be sure that GridinSoft Anti-Malware is the one you can rely on in this task.
