The distribution of QAKBOT malware is resurrected once again by operators of the Black Basta ransomware group on September 8, 2022, after a short leisure break.
While the latest distribution mechanism and campaign were identified by cybersecurity researchers at Trend Micro and the attackers using Penetration Testing tools to infiltrate the targeted networks.
In this latest campaign, the threat actors are distributing the QAKBOT malware with the help of the following malicious payloads:-
As a second-stage payload, the attackers deployed the Qakbot malware in their recent attacks by exploiting the Brute Ratel C4 framework payload. During the attack, Cobalt Strike was also used to move laterally as part of the attack.
A malicious email ignites the whole campaign and this email contains a malicious URL that redirects the victims to a download page. Here, an archive file containing documents and files will be downloaded.
There are two things that you will find in the archive:-
There is a geographical distribution of C&C servers among compromised hosts, which makes the infrastructure difficult to detect. There are 28 countries where all these hosts are found within ISP broadband networks.
Each C&C server is used once by the operators of the QAKBOT malware, as they don’t use a server repeatedly, instead, they always keep changing them for more complexity. It has even been found that some of them have been saved in more than one QAKBOT configuration.
QAKBOT launches a reconnaissance operation on the network and then it drops the Brute Ratel DLL within 6 minutes of its introduction.
The following things are identified during the subsequent reconnaissance process in the environment:-
In order to prepare the data for exfiltration, the files are then packaged into a ZIP file, and it takes only a few seconds to accomplish this data extraction process.
Here, we have compiled a list of the countries in which the C&C servers for the QAKBOT are located:-
Apart from this, it has been detected that attackers are also using the HTML Smuggling method to deliver a password-protected ZIP file. Malicious code can be injected into HTML attachments or web pages through this technique.
Here below we have mentioned all the recommendations provided:-
Also Read: Download Secure Web Filtering – Free E-book
Trend Micro, a cybersecurity firm, has released its 50th installment report on the Russian-speaking cybercriminal…
The Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has significantly expanded its targeting…
Russian state-backed advanced persistent threat (APT) group Storm-2372 has exploited device code phishing to bypass…
Threat actors are exploiting weaknesses in SMS verification systems to generate massive, fraudulent message traffic,…
The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as…
North Korean threat actors have demonstrated their adept use of social engineering techniques combined with…