Different researchers independently identify a new trend in which malware operators switch between QBot/QakBot and IcedID trojans. The latest observation of this trend came this Monday.
As a rule, attackers use the trojans as an intermediary stage of a longer infection chain, at the end of which, they deliver various ransomware as the final payload.
IcedID started as a banking trojan in 2017 but switched its services to malware delivery and distributed such ransomware as RansomExx, Maze, and Egregor.
In February, researcher Brad Duncan of Palo Alto Networks observed IcedID as the new malware coming from the URLs that used to serve QBot. He wrote at the time:
“HTTPS URL generated by the Excel macro ends with /ds/2202.gif which normally would deliver Qakbot, but today it delivered IcedID.”
Then researcher James Quinn of Binary Defense made the same observation in March when they saw a new IcedID/BokBot variant while tracking a malicious spam campaign involving QakBot.
Now on Monday, a month and a half later, the malware distributor switched back to QakBot, as a researcher and reverse engineer reecDeep spotted on Monday, noting the campaign relied on updated XLM macros.
The same trick is seen in the analysis from both Binary Defense and Brad Duncan on the malware distributor’s switch to delivering IcedID in February 2021.
Recently, Intel 471 researchers detailed EtterSilent, a malicious document builder that can bypass several security mechanisms, such as Windows Defender, AMSI, and email clients. The tool can assemble infected documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption.
According to Intel 471, multiple malware operators started to use EtterSilent, among them IcedID and QakBot.
In a reply to BleepingComputer about the recent switch to QakBot, James Quinn said that all evidence points to “a fairly large update to QakBot” that changed its decryption algorithms.
This may explain attackers’ preference for QakBot in the new campaigns.