For the Qakbot malware's creators, shifting delivery methods is a way to avoid detection.
To evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot, researchers from Zscaler Threatlabz Tarun Dewan and Aditya Sharma said in an article published today.
Code obfuscation, new layers in the attack chain, and unknown file extensions (e.g.,.OCX,.ooccxx,.dat, or .gyp) are some of the other techniques used by the group. Moreover, the group uses multiple URLs and unknown file extensions to deliver the payload.
According to Fortinet, "Qakbot is a versatile post-exploitation tool that incorporates various layers of defense evasion techniques designed to minimize detections."
"Many financially motivated groups (cyber criminals) prefer Qakbot because of its modular design and infamous resiliency against traditional signature-based detection."
Microsoft's plans to block macros by default in April 2022 prompted the malware to shift tactics from XLM macros to.LNK files in May, a decision it has since temporarily rolled back.
In addition, PowerShell was used to download the DLL malware, and rundlll32.exe was used to load the payload instead of regsvr32.exe, which the researchers described as "clear sign of Qakbot evolving to evade updated security practices and defenses."
It has been a constant threat since late 2007, evolving from a banking trojan to a modular information stealer capable of deploying next-stage payloads like ransomware.
Post a Comment
Your suggestions and comments are welcome