Phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages are now being used by the Qbot botnet to spread malware payloads.
This is the first time the Qbot operators have used this strategy, which differs from their usual method of spreading malware via phishing emails that drop Microsoft Office documents containing dangerous macros onto recipients’ computers.
Security experts believe this is a direct response to Microsoft’s announcement in February that it will stop malware transmission via VBA Office macros after deactivating Excel 4.0 (XLM) macros by default in January.
In early April 2022, Microsoft began rolling out the VBA macro autoblock feature to Office for Windows users, starting with Version 2203 in the Current Channel (Preview) and later to other release channels and earlier versions.
“Despite the many email methods attackers are utilising to transmit Qakbot, these attacks all use malicious macros in Office documents, particularly Excel 4.0 macros,” Microsoft said in December.
“It should be noted that, while threats use Excel 4.0 macros to elude detection, this functionality is now blocked by default, requiring users to manually enable it in order for such threats to run successfully.”
This is a huge security enhancement for Office subscribers, as dangerous VBA macros hidden in Office documents are a common way for phishing campaigns to spread a wide range of malware strains, including Qbot, Emotet, TrickBot, and Dridex.
Since at least 2007, Qbot (also known as Qakbot, Quakbot, and Pinkslipbot) has been used to steal banking credentials, personal information, and financial data, as well as to install backdoors on hacked systems and deploy Cobalt Strike beacons.
This virus is also notorious for leveraging network share exploits and particularly aggressive brute-force assaults against Active Directory admin accounts to infect other devices on a compromised network.
Despite the fact that it has been around for more than a decade, the Qbot virus has mostly been utilised in highly focused assaults against business entities since they deliver a higher return on investment.
Qbot has also been utilised by a number of ransomware gangs, including REvil, Egregor, ProLock, PwndLocker, and MegaCortex.
Because Qbot infections can lead to severe infections and highly disruptive attacks, IT administrators and security professionals should familiarise themselves with the malware, as well as the strategies employed by botnet operators to transmit it to new targets.
The variety of Qbot attacks, according to a Microsoft analysis from December 2021, makes it difficult to precisely assess the scale of its infections.