QAKBOT Loader Returns With New Techniques and Tools

QAKBOT is a prevalent information-stealing malware that was first discovered in 2007. In recent years, its detection has become a precursor to many critical and widespread ransomware attacks. It has been identified as a key "malware installation-as-a-service" botnet that enables many of today's campaigns.

Toward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an almost three-month hiatus. Specifically, we saw that the malware distributor "TR" was sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT. In early October, the same "TR" distributor was reportedly conducting brute-force attacks on Internet Message Access Protocol (IMAP) services, and there is also speculation from security researchers that "TR" uses ProxyLogon to acquire credentials for the attacks.

The actors using QAKBOT are leveraging hijacked email threads in their spam runs, a highly effective tactic that was used by groups such as Emotet in the past (hijacking an email thread means reviving an old thread with replies containing malware). Compromising IMAP services and email service providers (ESPs), or hijacking email threads allows attackers to leverage the trust a potential victim has in people they have corresponded with before, and it also allows for the impersonation of a compromised organization. Indeed, intended targets will be much more likely to open emails from a recognized sender.

Unlike the waves of QAKBOT that we observed in the weeks leading up to its June 2021 break, this most recent campaign uses Visual Basic for Applications (VBA) macros alongside Excel 4.0 macros. In the following, we dive into the tools and techniques of this new edition and include a thorough analysis of QAKBOT's history and previous tactics in our technical brief.