Qbot botnet operators have switched tactics and are now pushing malicious payloads using phishing emails containing password-protected ZIP archive attachments with malicious windows installer packages.
Qbot, also known as Qakbot, Quakbot and Pinkslipbot, is a modular Windows banking trojan that has been in circulation since at least 2007 and is used to steal banking credentials, personal information, and financial data as well as to install backdoors on infected devices to deploy Cobalt Strike beacons.
Usually, Qbot operators would deliver the payload using phishing emails with Microsoft Office documents with malicious macros. However, this is the first time they’re using this particular tactic. Researchers believe this new tactic could be in response to Microsoft panning to remove malware delivery using VBA Office macros in February, having disabled Excel 4.0 (XLM) macros by default in January.
In the News: Android banking malware, Coinbase troubles, Moto G22 launch and more
Adapting to changes
Microsoft has started rolling out the VBA macro autoblock feature to Office users on Windows starting in early April. The feature has been rolled out to version 2203 in the current preview channel and will be rolling the feature out to other release channels and older versions later.
Threats often use Excel 4.0 macros to evade detection. However, now that this feature is disabled by default, users will have to enable it manually if they want to use macros, reducing the risk of undetected infection.
The Qbot malware is famous for infecting other devices on a compromised network using network sharing exploits and launching very aggressive brute-force attacks on active directory admin accounts. It’s usually used in highly targeted attacks on corporate entities as they have a higher return on investment for the operators.
The malware has been used by multiple ransomware gangs, including REvil, PwndLocker, MegaCortex, Egregor and ProLock.
In the News: Elon Musk is no longer joining the Twitter board