Last Updated on 13/12/2021 by Sanskriti
Infection chains linked to the multi-purpose Qakbot malware have been split down into “separate building pieces,” according to Microsoft, which will aid in proactively detecting and blocking the threat.
Qakbot is a “customizable chameleon that adapts to suit the needs of the multiple threat actor groups that use it,” according to the Microsoft 365 Defender Threat Intelligence Team.
Gold Lagoon, a financially driven cybercriminal threat organization, is suspected of developing Qakbot. It’s a common data-stealing malware that’s become a forerunner to many important and extensive ransomware assaults in recent years, providing malware installation-as-a-service to numerous campaigns.
The modular malware, like TrickBot, was first detected in 2007 and has developed from its early beginnings as a banking trojan to become a Swiss Army knife capable of data exfiltration and functioning as a delivery mechanism for second-stage payloads, such as ransomware. Its use of an Email Collector component to hijack victims’ genuine email threads from Outlook clients and use such threads as phishing baits to infect additional devices is also noteworthy.
“Compromising IMAP services and email service providers (ESPs), or hijacking email threads allows attackers to leverage the trust a potential victim has in people they have corresponded with before, and it also allows for the impersonation of a compromised organization,” Trend Micro researchers Ian Kenefick and Vladimir Kropotov detailed last month. “Indeed, intended targets will be much more likely to open emails from a recognized sender.”
The top targeted countries, according to Qakbot activity tracked by the cybersecurity firm between March 25, 2021, and October 25, 2021, are Japan, Germany, United States, India, Taiwan, Italy, South Korea, Turkey, Spain, and France, with intrusions primarily targeting the technology, telecommunications, and education sectors.
Spam operations have lately resulted in the introduction of a new loader known as SQUIRREL WAFFLE, which allows attackers to get an initial foothold in business networks and dump malicious payloads like Qakbot and Cobalt Strike on compromised devices.
According to Microsoft, Qakbot attack chains now consist of several building blocks that chart the various stages of the compromise, starting with the methods used to distribute the malware — links, attachments, or embedded images — and continuing through a variety of post-exploitation activities like credential theft, email exfiltration, lateral movement, and the deployment of Cobalt Strike beacons and ransomware.
The Redmond-based firm highlighted that attackers’ Qakbot-related emails may include a ZIP archive file attachment containing a spreadsheet with Excel 4.0 macros, a first access vector often exploited in phishing attempts. Regardless of the method used to spread the virus, all of the campaigns involve malicious Excel 4.0 macros.
While macros in Microsoft Office are disabled by default, receivers of the email messages are requested to allow the macro in order to see the document’s true content. The onslaught then moves on to the next step, which involves downloading malicious payloads from one or more attacker-controlled sites.
While macros in Microsoft Office are disabled by default, receivers of the email messages are requested to allow the macro in order to see the document’s true content. The onslaught then moves on to the next step, which involves downloading malicious payloads from one or more attacker-controlled sites.
