The operators of Qbot, also known as Qakbot, have shifted methodologies to infect systems, according to analyzed samples recently captured in the wild.
Normally, Qbot operators deliver their malware via phishing emails that contain Microsoft Office documents with malicious macros in them. Upon execution of the macro, further Qakbot payloads will be downloaded and executed, completing the infection chain. However, recent samples captured have demonstrated threat actors switching tactics, opting for password-protected ZIP attachments containing malicious MSI Windows Installer packages in lieu of the Microsoft Office document. MSI packages will automatically install their payload when double-clicked, offering the Qakbot operators an easy way to trick a user into installing their malware.
This change in tactics is likely due to Microsoft’s plans to help prevent malware delivery via VBA Office macros, including the change to disable Excel 4.0 (XLM) macros by default. Many different malware families use malicious Office macros to execute their payloads on systems, so this change will impact a number of different types of malware beyond just Qbot.
The disabling of macros in Microsoft Office will be a huge blow to malware operators, as many different types of malware rely on malicious macros to gain initial execution on a victim’s machine. Due to this, the operators will need to change tactics to obtain this initial execution, similar to what Qbot has started doing. This will cause an increase in new and different tactics being utilized. It is highly recommended for all organizations to implement and maintain proper EDR and logging solutions on all endpoints. Proper detection and alerting will be crucial to monitor for infections using a potentially wide swath of different techniques. Abnormal process chains, processes creating outbound network connections, and odd file system or registry modifications are all behaviors that can be monitored for to help alert an organization to a potential malware infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these detection needs. Maintaining proper email controls is also vital to help prevent malware from reaching end users. This includes proper AV scanning and sandboxing to help determine if attachments are suspicious or not. Finally, while Microsoft is pushing out the change to Microsoft Office to prevent macros from executing by default, this change has not yet been completed. It is recommended for organizations to implement these changes themselves, utilizing controls such as Group Policy, instead of waiting for Microsoft to complete the push. This will help make sure that malware still utilizing Office macros will become ineffective sooner rather than later.