A new wave of Qakbot campaigns has been detected using a novel delivery technique. The malware has been active since 2007, primarily targeting sensitive information such as login credentials and financial data. Recently, Qakbot has been observed as a secondary payload dropped by other botnets like Emotet to distribute ransomware.
Trellix Advanced Research Center has detected various campaigns using OneNote documents to distribute Qakbot and other malware such as AsyncRAT, Icedid, and XWorm.
The campaigns have been using two attack vectors, one using a URL embedded in the email and the other using a malicious file as an email attachment. Once the Call-to-Action button is clicked, the payload is downloaded and executed without warning.
These campaigns have resulted in a considerable number of infections in the banking, financial, and wealth management sector, followed by government and outsourcing sectors.
The malware has multiple evasion techniques and sandbox detection to avoid detection and analysis. It is essential to be cautious when receiving emails with attachments or URLs and be aware of the potential risks involved.
In conclusion, it is important to take necessary steps to protect sensitive information from Qakbot and other malware attacks. Regularly updating security software and educating employees about potential risks involved can help prevent the spread of malware.
