December 9, 2023

Kaspersky has released the technical analysis report detailing of the decade old Qakbot trojan’s infection chain, typical functions, communication with C2.

QakBot is mostly known for targeting its victims via spam. Since last year only it started including phishing emails with ZIP attachments.

The documents include macros and victims are urged to open the attachment that claimed to have important information. In some instances, emails had links to web pages spreading malware-laced documents. It uses a DLL binary loader, communicates with the C2 server, and pushes ProLock ransomware.

QakBot malicious activities collect information about the compromised host, creating scheduled tasks, credentials harvesting, and registry manipulation, among others.The report also shed light on additional modules and statistics regarding QakBot-based attacks.

The malware has a list of 150 IP addresses added inside the loader binary resource. These are mostly from infected systems that are used as a proxy to forward traffic to another proxy or main С2. Actors use multiple additional modules identified as Cookie Grabber, Hidden VNC, Email Collector, Hooking module, Pass Grabber module, Proxy module, and Web inject.

Qakbot has been stealing information and performing many other disruptive functions for greater financial gains. One needs to watch its activities and ensure the right security measures are in place across different endpoints.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

WordPress POP CMS Vulnerability

December 9, 2023

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2

CISA KEV Update Part II – December 2023

December 7, 2023

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023

Microsoft Echo’s on APT 28 exploiting CVE-2023-23397

December 5, 2023
%d