QakBot malware [2] [4] [5] [6], also known as QBot [5], QuackBot [1] [2] [3] [4] [5] [6], and Pinkslipbot [5], has been a persistent threat since 2008 and has recently shown increased activity in the second quarter of 2023. Cybercriminals have been adapting their attack methods to evade security measures and detection tools, using tactics such as “building blog style attacks” on popular blogging platforms and employing various techniques to avoid detection. This article aims to provide a comprehensive overview of the QakBot malware and highlight the recommended actions for network defenders.
Description
QakBot malware has been highly active since 2008 and has recently been particularly active in the second quarter of 2023. Cybercriminals have been diversifying their attack methods to bypass security policies and detection tools [4]. They have been using “building blog style attacks” on popular blogging platforms like Blogspot to create unique infection chains, switching up file types and techniques to evade detection [3] [4]. In fact, 32% of analyzed infection chains in Q2 were found to be distinctive, showing the uniqueness of QakBot campaigns. The malware spreads through malspam campaigns and has recently evolved with new attack vectors [5]. These include the use of ZIP file extensions [5], enticing file names [5], and Excel 4.0 to trick victims into downloading malicious attachments [5]. Threat actors have also been obfuscating code, using multiple URLs [5], and altering the steps of the process to prevent automated detection [5].
HP Wolf recommends that network defenders ensure their email and endpoint defenses are prepared for the various permutations of QakBot spam [4]. The report also highlights Aggah campaigns that hosted malicious code within the Blogspot blogging platform [4], making it difficult to distinguish between legitimate blogs and attacks [4]. Attackers have been observed using DNS TXT record queries to deliver the AgentTesla RAT, taking advantage of the fact that DNS protocols are often not monitored or protected [2] [4]. Additionally, a recent campaign utilized multiple programming languages to avoid detection [4].
HP Wolf’s analysis [4], based on data collected from April-June 2023 [4], emphasizes the importance of training users to properly manage attachments and verify URLs before entering credentials. This is crucial as cyber attackers are using formulaic attack chains but adding creative twists to avoid detection. By changing file types and techniques [3] [4], they are able to bypass detection tools and security policies.
Cybercriminals are also exploiting Windows systems to disable anti-malware capabilities and execute remote access trojans like XWorm or AgentTesla to steal sensitive information [6]. QakBot can steal information by monitoring keystrokes [1], taking screenshots [1], and accessing files once installed on a computer. It can also spread to other computers on the same network [1]. QakBot is often delivered through phishing emails [1], malicious attachments or links [1] [5], and drive-by downloads [1]. To protect against QakBot [1], users should be cautious about clicking on links and opening attachments [1], keep software up to date [1], use a firewall [1], stay informed about cybersecurity threats [1], use a password manager [1], enable two-factor authentication [1], and be suspicious of unfamiliar emails or attachments [1]. If infected [1], users should isolate the infected computer [1], run a full scan with antivirus software [1], change passwords for online accounts [1], and report the infection to the authorities [1].
Conclusion
In addition to the information provided in the reference text, cybercriminals are using creative methods to diversify their QakBot malware attacks [2] [6]. They are connecting different blocks together to create unique infection chains [2], bypassing detection tools and security policies [2] [3] [6]. In Q2, 32% of the QakBot infection chains analyzed were found to be unique [2]. Attackers behind Aggah campaigns are hosting malicious code within popular blogging platform [2], Blogspot [1] [2] [4] [6], making it harder for defenders to distinguish between a blog and an attack [2]. They also disable anti-malware capabilities on users’ machines and steal sensitive information [2]. Another Aggah attack uses a DNS TXT record query to deliver the AgentTesla RAT [2] [6], taking advantage of the fact that DNS protocol is often not monitored or protected [2] [4]. A recent campaign uses multiple programming languages [2] [4], encrypting its payload in Go to disable anti-malware scanning features and then switching to C++ to interact with the victim’s operating system and run the .NET malware in memory [2], leaving minimal traces on the PC [2].
In light of these developments, it is crucial for network defenders to ensure their email and endpoint defenses are prepared for the various permutations of QakBot spam [4]. Training users to properly manage attachments and verify URLs before entering credentials is also essential. Additionally, staying informed about cybersecurity threats and implementing security measures such as using a firewall, keeping software up to date [1], and enabling two-factor authentication can help protect against QakBot and other similar malware. It is important to remain vigilant and report any infections to the authorities to prevent further damage.
References
[1] https://itssecurityyall.substack.com/p/qakbot-returning-with-a-vengeance
[2] https://www.tradingview.com/news/reuters.com,2023-08-24:newsml_Zaw23vQZZ:0-pressr-threat-actors-get-creative-with-building-block-style-attacks-finds-hp/
[3] https://www.devdiscourse.com/article/technology/2569557-cybercriminals-chaining-different-attack-combinations-together-to-evade-detection-hp-report
[4] https://www.infosecurity-magazine.com/news/creative-qakbot-attack-tactics/
[5] https://www.socinvestigation.com/qakbot-attacks-evolving-new-threat-techniques-detection-response/
[6] https://menafn.com/1106935360/Threat-Actors-Get-Creative-With-Building-Block-Style-Attacks-Finds-Hp-Insider-Knowhow-Helps-Attackers-Evade-Detection-And-Bypass-Security-Policies
