The Qakbot information stealer malware has reemerged from the grave since it was first launched in 2008. According to researchers, the infostealer malware has continued to evolve, adapt, and practice new strategies despite its inactivity over the past years.
Additionally, the group employed a more evasive technique, making them more elusive in bypassing most security solutions.
Based on reports, the researchers have discovered a significant surge in Qakbot malware infection for the past few weeks and noticed an improved tactic employed by their group in all their operations.
Qakbot has three significant changes that make it more threatening to users.
Based on a recent analysis of the return samples of a Qakbot activity, the information stealer bypassed the detection of security solutions by exploiting a ZIP file extension. In addition, the file names used by the malware were altered by its operators into a standard format not to raise any suspicions from security detectors.
The infostealer also used Excel 4.0 to deceive victims into downloading malicious attachments that led to its installation in the targeted device. It also used unknown file extensions and suffixes to deploy the payload and change the steps by utilising new stages between initial compromise, distribution, and execution.
The researchers also noticed other subtle strategies, such as obfuscating code and abusing numerous URLs to spread the payload.
Recent attacks also revealed that the Qakbot operators are utilising multiple file names to hide attachments. These file names are designed to distribute the Qakbot infostealer. Researchers enumerated that the file names contained a description, generated number, and data.
These attached files included common keywords affiliated to finance and business operations that try to deceive victims into believing that those are standard business files.
The adversaries then use PowerShell commands to download the malicious code and a transition from rundlll32[.]exe to regsvr32[.]exe. These exe documents are for loading the malicious payload for bypassing detection.
Qakbot’s latest campaigns have shown a solid resolve to upgrade its attacks and bypassing ability. Experts suggest that organisations train employees to handle their attachments and avoid accessing malicious extensions.