The neverending adaptability of this threat is key to its long-term survival and success.
“Qakbot operators tend to reduce or stop their spamming attacks for long periods of time on a seasonal basis, returning to activity with a modified suite of tools,” Chris Formosa and Steve Rudd, researchers with Lumen’s Black Lotus Labs, have noted.
Qakbot primarily spreads through email hijacking and social engineering tactics.
Once it has secured its presence on target machines, it steals user credentials, establishes backdoors, and provides unauthorized access to those machines to other cybercriminals. It is known for delivering additional malware and ransomware to Windows hosts.
“Qakbot alternates its means of initial entry to stay ahead of tightening security policies and evolving defenses,” the researchers explained.
It previously leveraged Microsoft Office documents to gain access, but when Microsoft announced it will be blocking macros in files from the internet, it shifted to using malicious OneNote files, Mark of the Web evasion and HTML smuggling techniques.
An ever-changing pool of C2 servers
In addition to switching up their malware delivery methods, Qakbot operators also use a neat trick to keep their C2 infrastructure always up and running and able to evade security solutions.
Qakbot retains resiliency by repurposing victim machines into C2s. The researchers observed that more than 25% of C2s don’t remain active for more than a day, and 50% don’t remain active for more than a week.
Fighting off Qakbot
To mitigate the risk of getting Qakbot/Qbot on corporate machines, defenders should concentrate on reinforcing protections against email-borne attacks by regularly conducting phishing and social engineering training for employees.
The researchers also highlight the importance of fully monitoring network resources and ensuring proper patch management.