The infamous Qakbot malware is back and featuring some interesting improvements, experts have warned.
Sophos cybersecurity researchers have observed new Qakbot distribution campaigns; The malware now comes with a fake Windows installer. Once the victim clicks on the malware, it displays a fake installer of an Adobe product.
To begin with, the installer looks suspicious and displays nothing more than the words “Adobe Settings.” When you click the X button to finish the process, the installer asks “Are you sure you want to cancel the Adobe installation?” since it tries to trick the user into believing that the process is legitimate. The worst part is that it doesn't matter what the victim clicks on. In all cases the malware is installed, since the warning only serves as a distraction.
Back with vengeance
Other notable improvements include improved obfuscation techniques, such as advanced encryption that hides C2 chains and communications. In addition to the XOR encryption method seen in previous variants, the new versions of Qakbot also use AES-256 encryption.
Finally, the malware scans the endpoint for antivirus solutions and other protection tools, and searches for virtualized environments. If you consider that it was installed in a sandbox, you will enter an infinite loop.
Qakbot was severely disrupted in the summer of 2023, when US law enforcement took down its infrastructure during Operation Duck Hunt. However, as no arrests were made at the time, investigators concluded it was only a matter of time before Qakbot operators were back in action.
In fact, in December last year, Microsoft reported on a new phishing campaign distributing Qakbot and now Sophos says that up to 10 new malware builds have been created since then.
Still, it's impossible to know if the new variants were developed by the same people who built the original Qakbot, or if a different threat actor obtained the source code and started experimenting with new versions.
Through beepcomputer
