Medium
Researchers observed increased usage of a specific Qakbot variant across campaigns occurring this year. The variant’s initial infection vector is emails appearing to be replies to relevant business-related messages in which the the recipient is requested to click on a link in order to download an attachment. This link points to a malicious file hosted on a compromised website. Specifically, a ZIP archive containing a VBS file is downloaded. The VBS file is responsible for downloading an executable file, which is the final Qakbot payload. After anti-analysis and anti-VM checks are performed, persistence is established via a Registry Run key and a scheduled task. Additionally, it creates copies of itself on the filesystem and injects itself into multiple processes to remain memory resident. For C2 communication, it leverages both domain generation algorithms (DGA) and hardcoded C2 addresses. The researcher notes that, like with older Qakbot samples, code exists suggesting additional routines that can be loaded through another component, such as a PowerShell routine to download other payloads.