The Qbot botnet now distributes malware via phishing emails with password-protected ZIP archive attachments containing malicious Windows MSI installer packages. This is the first time Qbot has used this tactic to abandon the standard method of sending malware via phishing emails by dropping Microsoft Office documents with malicious macros onto target devices.

Security researchers suspect this move may be a direct response to Microsoft’s announcement in February of its plans to end malware distribution of VBA Office macros in February, after Excel 4.0 (XLM) macros were disabled by default.

Microsoft began deploying automatic blocking of VBA macros for Office Windows users in early April 2022, starting with version 2203 on the current channel (previous version) and later for other broadcast channels and earlier versions.

“Despite the different email methods attackers use to deliver Qakbot, these campaigns have one thing in common – the use of malicious macros in Office documents, including Excel 4.0 macros,” Microsoft said in a December statement.

“It should be noted that although threats use Excel 4.0 macros to avoid detection, this feature is now disabled by default and therefore requires users to manually enable it in order to properly handle such threats.”

This is an important security enhancement to protect Office clients, as the use of malicious VBA macros embedded in Office documents is a common phishing attack method that uses a wide variety of malware types, including Qbot, Emotet, TrickBot, and Dridex.

What is Qbot?

Qbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a modular worm banking Trojan for Windows that has been used since at least 2007 to steal bank credentials, personal information, and financial information and install backdoors on hacked computers. distribution.

This malware is also known to infect other devices in a compromised network by exploiting network resources vulnerabilities and using aggressive scanning attacks targeting Active Directory administrator accounts.

Although the Qbot malware has been active for over a decade, it has been mainly used for targeted attacks against legal entities, as they provide a higher return on investment. Various hijacker groups, including REvil, Egregor, ProLock, PwndLocker, and MegaCortex, have also used Qbot to hack corporate networks.

Because the Qbot infection can lead to dangerous infections and devastating attacks, IT administrators and security professionals need to be aware of this malware, the tactics it uses to spread the network, and the tactics used by botnet operators to reach new targets. Microsoft’s December 2021 report reflected the universality of Qbot attacks, making it difficult to accurately assess the extent of infections. Source