The infamous Qakbot malware is back, and sporting some interesting improvements, experts have warned.
Cybersecurity researchers from Sophos have observed new distribution campaigns for Qakbot, the malware now comes with a fake Windows installer. Once the victim clicks on the malware, it displays a bogus installer for an Adobe product.
The installer looks suspicious to begin with, displaying nothing but the words “Adobe Setup”. Clicking on the X button to terminate the process, the installer asks “Are you sure you want to cancel Adobe installation?” as it tries to trick the user into thinking the process is legitimate. The worst part is – it doesn’t matter what the victim clicks. In every scenario, the malware is installed – as the prompt only serves as a distraction.
Back with a vengance
Other notable improvements include enhanced obfuscation techniques, such as advanced encryption which hides strings and C2 communications. Besides the XOR encryption method that was observed in earlier variants, the new Qakbot versions also use AES-256 encryption.
Finally, the malware analyzes the endpoint for antivirus solutions and other protection tools, and checks for virtualized environments. If it deems it was installed in a sandbox, it will enter an infinite loop.
Qakbot was severely disrupted in the summer of 2023, when US law enforcement agencies took down its infrastructure during Operation Duck Hunt. However, as no arrests were made at the time, researchers concluded that it was only a matter of time before Qakbot’s operators sprung back into action.
Indeed, in December last year, Microsoft reported on a new phishing campaign distributing Qakbot and now Sophos says that up to 10 new malware builds were made since then.
Still, it is impossible to know if the new variants were developed by the same people that built the original Qakbot, or if a different threat actor obtained the source code and started experimenting with fresh builds.
Via BleepingComputer