Kaspersky has released the technical analysis report detailing of the decade old Qakbot trojan’s infection chain, typical functions, communication with C2.
QakBot is mostly known for targeting its victims via spam. Since last year only it started including phishing emails with ZIP attachments.
The documents include macros and victims are urged to open the attachment that claimed to have important information. In some instances, emails had links to web pages spreading malware-laced documents. It uses a DLL binary loader, communicates with the C2 server, and pushes ProLock ransomware.
QakBot malicious activities collect information about the compromised host, creating scheduled tasks, credentials harvesting, and registry manipulation, among others.The report also shed light on additional modules and statistics regarding QakBot-based attacks.
The malware has a list of 150 IP addresses added inside the loader binary resource. These are mostly from infected systems that are used as a proxy to forward traffic to another proxy or main С2. Actors use multiple additional modules identified as Cookie Grabber, Hidden VNC, Email Collector, Hooking module, Pass Grabber module, Proxy module, and Web inject.
Qakbot has been stealing information and performing many other disruptive functions for greater financial gains. One needs to watch its activities and ensure the right security measures are in place across different endpoints.