We previously reported on their low detection. The observed QakBot campaigns identified by campaign ID abc use XLM macro documents for infection. QakBot is known to escalate intrusions by downloading the ProLock ransomware 2 or lately the Egregor ransomware. To this end, it uses email conversation thread hijacking in its campaigns 1, i.e., it will reply to emails that it finds in its victim’s mailboxes. It is distributed via Emotet, i.e., Emotet will download QakBot onto victims that are already infected with Emotet but it is also distributed directly via email. QakBot (also known as QBot, QuakBot, Pinkslipbot) has been around since 2008. The delivery method for the observed QakBot campaigns identified via the regular expression pattern of abc+ is still XLM macro documents as reported previously. So any string used in the malware is only decoded at runtime into memory only and destroyed right afterwards. Other changes include dynamic just-in-time decoding and destruction of strings at runtime. However, at that time security software itself is shutting down and booting up, hence may not detect QakBot’s new persistence method. This way security software can only detect QakBot artifacts on disk, right before system shutdown, and shortly after system boot.
QakBot’s executable is also not stored permanently on the file system anymore, but similarly to the run key registry entry, dropped onto the file system before reboots and deleted afterwards. The run key for persistence is not permanently present in the registry but only written right before shutdown or reboot, and deleted immediately after QakBot is executed again. QakBot’s configuration is now stored in a registry key instead of a file. QakBot has been updated with more evasion techniques.
0 kommentar(er)
