QAKBOT malware also known as QBot or Pinkslipbot is back in business with new tools and tactics. The malware distributors are using Visual Basic for Applications (VBA) macros alongside Excel 4.0 macros to target organizations.
Toward the end of September 2021, researchers at Trend Micro spotted that the malware operators are sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT. The same malware operators have been identified again in early October, this time conducting brute-force attacks on Internet Message Access Protocol (IMAP) services.
Targeting IMAP services and email service distributers (ESPs) allow threat actors to leverage a potential target's trust in people they have corresponded with before. In this particular campaign, when a target opens the malicious file in their spam email, an auto_open macro will attempt to generate a new sheet and set the font color to white.
Typically, Macros is executed when the victim opens the document and click on the “Enable Content” button. When selected, the macros read the embedded data in a form control “UserForm1”, and are revealed as Hard-coded QAKBOT payload hosts.
QAKBOT is a banking trojan that was first discovered in 2007. In recent years, QakBot operator has invested a lot into its development, turning this Trojan into one of the most powerful and dangerous among existing samples of this malware type. It has been identified as a key "malware installation-as-a-service" botnet that enables many of today’s campaigns.
According to Trend Micro researchers, the reemergence of OAKBOT malware is likely a signal that malware distributors might attempt to monetize some of these infections using ransomware in the coming weeks.
“QakBot is unlikely to stop its activity anytime soon. This malware continuously receives updates and the threat actors behind it keep adding new capabilities and updating its modules in order to maximize the revenue impact, along with stealing details and information. Previously, we’ve seen QakBot being actively spread via the Emotet botnet. This botnet was taken down at the beginning of the year, but judging by the infection attempt statistics, which have grown in comparison to the last year, the actors behind QakBot have found a new way of propagating this malicious software,” stated Haim Zigel, malware analyst at Kaspersky.