On May 26th at around 14:37-14:47 UTC, Qakbot’s tier two distribution server was “mysteriously” taken down. However, it seems that the threat group that runs Qakbot, which Binary Defense tracks as Durak Group, didn’t notice that their server was gone until they began gearing up for their new campaign early in the morning of May 27th. Because of this, there was no malicious spam distribution campaign on May 27th. However, it only took Durak Group a day to spin up a new server, and malware distribution through email resumed on May 28th in a campaign that the threat actors labeled as spx128.
Qakbot is a modular malware distributed through spam email with links to download malicious payloads, best known by its use of zip files containing vbs scripts to hide the stage one loader. Take care when opening zip files and avoid running VBS files from unknown sources. Enterprise defenders should strongly consider implementing a group policy to set the default program for opening VBS, VBE, JS, JSE and other scripting file extensions to Notepad, so that these scripts aren’t automatically executed when end-users double-click them. Binary Defense produces IOCs daily for the Qakbot exe distribution which is pulled down by the VBS stage one loader.