New Variant of QakBot spread through Phishing Emails
Source: FortiNet
Fortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of QakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information stealer and banking Trojan that has been captured and analyzed by security researchers since 2007.
The new variant begins its infection with tricking a user into executing a malicious .html file attached to an email message. Upon execution, the malicious file will download a ZIP archive typically named: ““ScannedDocs_1586212494.zip”.
The downloaded file contains another malicious .lnk file that is disguised with a Microsoft Write icon to trick the victim into thinking it’s a safe text file. When opened, a group of commands will be executed by cmd.exe to load the QakBot Loader Module to further compromise the system and install the QakBot malware.
QakBot is particularly dangerous malware as it uses several anti-analysis techniques to stay hidden such as injecting malicious code into legitimate process and encrypting constant strings. Threats can also exfiltrate sensitive data and run remote commands on a system infected with QakBot.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.