Emotet had taken phishing to a new level with its dynamite phishing emails. These e-mails came from known senders and even quoted the recipient’s own e-mails to get him to open the attached Office document. After the Emotet infrastructure was smashed, Qakbot is now apparently taking over its tricks and thus also filling a gap in the cybercrime ecosystem.
Like Emotet, Qakbot originally specialized in online banking fraud and has evolved over time. The malware, also known as QBot, has above all expanded its ability to steal passwords and other information. Qakbot used to get onto his victims’ computers via Emotet, among other things. As a current analysis by Kaspersky shows, the Qakbot gang is now increasingly running its own phishing email campaigns and is also using malicious Office files that contain macros to infect the recipient’s computer. These are often packed in ZIP archives.
Old tricks still work
To start the infection, the recipient has to open the Office file and then click on “Activate content”. To this end, Emotet creates a trustworthy context with e-mails previously stolen from other victims. As Kaspersky shows, a special e-mail collector module at Qakbot now searches its victims’ computers for Microsoft Outlook in order to access their e-mails.
The Excel file is supposedly protected with DocuSign. The requested “Activate content” infects the PC with Qakbot.
(Bild: Northwave Security)
From these, the criminals later create mails with additional Office Trojans that are specially tailored to the respective recipient. Incidentally, they also like to pretend to be “DocuSign protected”. The “Activate content” function is supposed to be used to decrypt the allegedly secured content.
And of course, Qakbot also acts as a door opener for ransomware. In the past it was often egregore. But the gang also has good relationships with the Trickbot gang, which has one of the currently most successful blackmail Trojans in its program, Conti. In this way, Qakbot, together with the similarly set up IcedID, was able to ensure that the smashing of the Emotet infrastructure did not lead to a noticeable decrease in the threat of ransomware.
Protection and monitoring
The measures to protect against malicious Office files discussed in the course of Emotet prevention are therefore by no means obsolete. If you can, you should still block the receipt of mail and download Office files with macros, or at least regulate them sensibly.
In addition, Kaspersky in QakBot technical analysis published an extensive list of IP addresses of known Qakbot C2 servers that can serve as indicators of compromise. The targeted monitoring of suspicious activities is an important component of a ransomware protection concept. Anyone who notices early on that computers in their network are “talking” to known control servers of the cybercrime gangs can often prevent the worst.
(ju)
