The creator of the Qakbot malware, or an individual with access to its source code, appears to be testing out new versions, as recent instances have been detected in email campaigns since mid-December.
One of the observed variants employs a deceptive tactic on Windows, presenting users with a counterfeit installer for an Adobe product, enticing them to install the malware.
Known also as QBot, this malware has long functioned as a conduit for deploying various malicious payloads, such as ransomware, typically distributed to victims via email.
Until its dismantling last August, QBot had infected over 700,000 systems, causing financial damages estimated at over £49 million in just 18 months.
Dubbed Operation Duck Hunt, the takedown did not result in any arrests, leading many security researchers to anticipate that Qakbot developers would reconstruct their infrastructure and resume distribution campaigns.
Last year, a Qakbot campaign that had commenced prior to the takedown and persisted into early October was reported. Researchers speculated that this continued operation was feasible because law enforcement only disrupted the malware's command and control servers, leaving the spam delivery infrastructure intact.
In December 2023, Microsoft identified a QBot phishing campaign masquerading as the IRS, confirming concerns regarding the malware's resurgence.
An advanced threat response task force, recently detected renewed QBot activity, with as many as 10 new malware variants emerging since mid-December.
Researchers have also taken note of recent developments surrounding QBot. In late January, they released a technical report detailing the malware's evolution since 2008.
New Variants of QBot
Analysts have conducted reverse engineering on fresh QBot samples, observing minor increases in the build numbers, suggesting ongoing testing and refinement by the developers.
Samples from December and January were distributed as Microsoft Software Installer (.MSI) executables, which then deployed a DLL binary through a .CAB (Windows Cabinet) archive.
This method deviates from previous iterations, which relied on injecting code into legitimate Windows processes (such as AtBroker.exe, backgroundTaskHost.exe, dxdiag.exe) to avoid detection.
The latest Qakbot variants employ advanced obfuscation techniques, including enhanced encryption to conceal strings and command-and-control (C2) communication.
In particular, the malware now utilizes AES-256 encryption in addition to the XOR method observed in older versions.
The malware conducts checks for endpoint protection software and has reintroduced checks for virtualized environments. If it detects a virtual machine, it initiates an infinite loop in an attempt to evade detection.
Qakbot employs a deceptive popup that falsely indicates the Adobe Setup is in progress on the system. This misleading tactic aims to deceive users by presenting fake installation prompts, ultimately launching the malware irrespective of the user's interaction with the prompts.
According to analysts, closely tracking QBot's evolution allows for timely updates to detection protocols and the dissemination of vital information to fellow security providers.
Despite the emergence of only a few samples following the dismantling of QBot's C2 infrastructure last year, analysts assert that any attempts by threat actors to revive it warrant vigilant monitoring and thorough examination.
