Researchers Discover New Attempts by Qakbot Malware to Bypass Detection


The operators behind the Qakbot malware transform their delivery vectors in an attempt to evade detection.

“Recently, threat actors have transformed their detection evasion techniques by using ZIP file extensions, tricking filenames with commonly used formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot,” Zscaler Threatlabz ​​Researchers Tarun Dewan and Aditya Sharma said

Other methods used by the group include code obfuscation, introducing new layers in the attack chain from initial compromise to execution, and using multiple URLs and unknown file extensions (e.g. .OCX, .ooccxx, .dat or .gyp) to deliver the load.

Qakbot, also known as QBot, QuackBot or Pinkslipbot, has been a recurring threat since late 2007, evolving from its early days as a banking Trojan into a modular information stealer capable of deploying next-stage payloads such as ransomware.

“Qakbot is a flexible post-exploit tool that contains several layers of defense-evasion techniques designed to minimize detections,” Fortinet revealed in Dec 2021.

“Qakbot’s modular design and infamous resilience in the face of traditional signature-based detection make it a desirable first choice for many financially motivated groups (cybercriminals).”

The malware’s shifting tactic from XLM macros to .LNK files in early 2022 in May is seen as an attempt to counter Microsoft’s plans to block default Office macros by April 2022, a decision it has since temporarily halted. has reversed.

Further changes include using PowerShell to download the DLL malware and switching from regsvr32.exe to rundlll32.exe to load the payload, in what the researchers described as a “clear sign that Qakbot is evolving to evade updated security practices and defense.”