Recently, the threat actors behind Qakbot have been very active again. A significant number of attacks were noticed the previous time.
Their most recent attack chain is detailed below:
Malware spam campaigns are still the primary entrance point for Qakbot. To maximize the chance that recipients would respond to or interact with the message, they are faking email threads of well known companies for their spam communications.
Both active Qakbot botnets are now using HTML smuggling again to provide the first attack load after briefly switching to OneNote files (see my recent post about a similar attack vector https://community.veeam.com/cyber-security-space-95/microsoft-onenote-files-used-to-distribute-emotet-malware-4451). Over the past year, many campaigns have employed this strategy of email spoofing.
- The Obama botnet presently deceives users into opening the connected payload, which is concealed as a base64-encoded string, by posing as a Onedrive mail.
- The BB botnet, on the other hand, makes use of Latin-themed text and has a script that downloads the payload from a remote site.
The following step is a JavaScript file in both situations. It causes the malware known as Qakbot to download and run when opened with “wscript”. To stop such attacks, system administrators should think about altering the default application for.js files (and similar scripts).
⚠ One of the riskiest first-access brokers and a crucial ransomware enabler is still Qakbot. So, be careful and watch twice before clicking on a link or attachment in a mail!
