The operators of Qbot, also known as Qakbot, have shifted methodologies to infect systems, according to analyzed samples recently captured in the wild.
Normally, Qbot operators deliver their malware via phishing emails that contain Microsoft Office documents with malicious macros in them. Upon execution of the macro, further Qakbot payloads will be downloaded and executed, completing the infection chain. However, recent samples captured have demonstrated threat actors switching tactics, opting for password-protected ZIP attachments containing malicious MSI Windows Installer packages in lieu of the Microsoft Office document. MSI packages will automatically install their payload when double-clicked, offering the Qakbot operators an easy way to trick a user into installing their malware.
This change in tactics is likely due to Microsoft’s plans to help prevent malware delivery via VBA Office macros, including the change to disable Excel 4.0 (XLM) macros by default. Many different malware families use malicious Office macros to execute their payloads on systems, so this change will impact a number of different types of malware beyond just Qbot.