A newly submitted malware analysis report has been concluded that the QakBot is still quacking with more virulent features placing it again on the watchlist of many cybersecurity experts. According to the report, a new variant of QakBot has been released, terrorizing prominent government and producing sectors, mainly in the United States, Europe, and other Asian countries. Gathered evidence by the researchers shows that the QakBot has been repurposed and equipped with different features from a recent unraveled variant of malware, which makes it sort of a hybrid malware that dreaded the cyberworld.
Since it was discovered in 2008, the malware was solely used to steal information from the victim’s resources and adding the compromised device to the bot network of the threat actors for their anytime perusal. From then on, different features have been added to QakBot, where it is a possibility that the actors behind the malware are collaborating with other developers. Another scenario would be that they are just born geniuses able to incorporate more destructive codes to the existing variant to make it more vicious.
As observed, the threat actors still use the same modus of mail spamming through a spear-phishing Business Email Compromised attack. Utilizing interesting subjects such as the latest news on the pandemic, job offerings, and other government services for them to lure their bait in opening the attachment or links that contain the malware script. To add a more legitimate projection onto the email, they sometimes used stolen threaded emails from the Outlook content of the compromised device to further deceive the victim that they are responding to legit emails.
With more added features, the Qakbot malware itself can bypass any imposed security checks of the anti-malware program from Content Disarm and Reconstruction (CDR) and Endpoint Detection and Response (EDR) systems.
With this ingenuity, it can perform the extraction and installation of malware through a segmented process to avoid being noticed by the malware scanner and being halted through the sandbox environment. Upon successful intrusion of the targeted device, the malware can now scan the system and send a signal to the adversaries of successful infection. Upon determining the vulnerabilities on the system, threat actors can now perform their hideous act of stealing sensitive information, send command, and control instruction remotely. With its new feature, it can now control and execute banking transactions from the stolen credentials of the user unknowingly to the victim at the expense of the compromised device. Aside from adding the device to the bot network of the adversaries for the latter use, the malware can directly infect other devices that are also connected to the same network. This also includes those devices with WIFI connectivity and again be added to its controlled devices.
The report only shows that adversaries are always on the lookout for the opportunity to make their tools more lethal than ever. In this regard, cybersecurity programs should also keep up on its pace to address the upcoming and possible threat that comes with the never-ending progress of the technology with vigilance and collaboration with different security experts.