QakBot, also known as QBot, has existed for over a decade. First found in the wild in 2007, the trojan has since been continually maintained and developed to the extent that it has become one of the leading trojans around the globe.
According to researchers from Kaspersky, in the first seven months of 2021, the number of users affected by the QBot jumped to 65% compared to the previous year. Most of the campaigns from the trojan were primarily observed in Q1 2021 that affected over 12000 users. Nevertheless, the attack trend by the QakBot operators appears to continue which includes aggressive use of phishing emails.
New SquirrelWaffle used to drop QBot
- On November 8, Minerva Labs’ researchers spotted a new phishing campaign that executed a malicious Excel file.
- The Excel file attempts to download three different files using regsvr32.exe in the background while instructing the users to enable the macro.
- This macro ultimately creates a network connection for the deployment of the SquirrelWaffle dropper that causes the download of the QBot in the final stage.
Phishing around Coronavirus remains popular
- Sharing tidbits of information on QBot’s other phishing campaign, Malwarebytes Threat Intelligence researchers highlighted that the attackers are using different email subjects to lure as many users as possible.
- One of these subjects revolves around information on Coronavirus.
- The other two subjects are ‘Test Message’ and ‘PSE crane quotes for Hereford and Plainview projects.’
- These emails include a zip file that eventually causes the download of QBot trojan.
The evolution of QBot becomes a concern
- Apart from its data-stealing abilities, the QakBot has been improvised with additional malicious modules.
- As per the latest finding from Kaspersky researchers, the trojan has been found to include Cookie Grabber, Hidden VNC, Email Collector, Hooking, Proxy, and Passgrabber modules.
- These modules can allow threat actors to collect cookies, connect to the infection machine without the knowledge of users, exfiltrate emails to remote servers, and pilfer login passwords.
Final words
QakBot has been active for over a decade and doesn’t look like going away anytime soon. The addition of new capabilities and modules is proof that threat actors plan to steal more information and maximize their revenue. However, the one challenging factor that primarily needs to be taken into consideration is the use of different anti-evasion techniques by the trojan operators. Therefore, organizations must enhance endpoint security to thwart such attacks before any further damage occurs.