The infamous Qakbot malware is back with some interesting improvements, experts warn.
Cybersecurity researchers at Sophos have done just that noticed new distribution campaigns for Qakbot, the malware now comes with a fake Windows installer. Once the victim clicks on the malware, a fake installer for an Adobe product is displayed.
The installer looks suspicious at first, showing nothing other than the words “Adobe Setup”. If you click the X button to end the process, the installer will ask, “Are you sure you want to cancel the Adobe installation?” because it tries to trick the user into thinking the process is legitimate. The worst part is: it doesn’t matter what the victim clicks. In either scenario, the malware is installed because the prompt only serves as a distraction.
Back with a vengeance
Other notable improvements include improved obfuscation techniques, such as advanced encryption that hides strings and C2 communications. In addition to the XOR encryption method seen in previous variants, the new Qakbot versions also use AES-256 encryption.
Finally, the malware analyzes the endpoint for antivirus solutions and other security tools, and checks for virtualized environments. If it thinks it is installed in a sandbox, it will enter an infinite loop.
Qakbot was severely disrupted in the summer of 2023, when US law enforcement agencies took down its infrastructure during Operation Duck Hunt. However, with no arrests made at the time, investigators concluded it was only a matter of time before Qakbot’s operators were back in action.
Indeed, last December, Microsoft reported on a new phishing campaign spreading Qakbot, and now Sophos says that up to ten new malware builds have been created since then.
Still, it’s impossible to know if the new variants were developed by the same people who built the original Qakbot, or if some other threat actor obtained the source code and started experimenting with new builds.
Through BleepingComputer