Phishing emails with password-protected ZIP archive attachments carrying malicious MSI Windows Installer packages are now being used by the Qbot botnet to spread malware payloads. It’s the first time that Qbot operators have used this strategy, which differs from their usual method of spreading malware via phishing emails that drop Microsoft Office documents containing dangerous macros onto targets’ systems.
Security experts believe this is a direct response to Microsoft’s announcement in February that it will stop malware transmission through VBA Office macros after deactivating Excel 4.0 (XLM) macros by default in January. In early April 2022, Microsoft began rolling out the VBA macro autoblock functionality to Office for Windows users, starting with Version 2203 in the Current Channel (Preview) and eventually to other release channels and earlier versions.
“Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros,” Microsoft said. “It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly.”
This is a huge security enhancement for Office subscribers, as dangerous VBA macros hidden in Office documents are commonly used during phishing campaigns to spread various malware strains, including Qbot, TrickBot, Dridex, and Emotet. Since at least 2007, Qbot (aka Qakbot, Quakbot, and Pinkslipbot) has been used to steal banking passwords, personal information, and financial data, as well as to install backdoors on hacked systems and distribute Cobalt Strike beacons.
This malware is also notorious for leveraging network share vulnerabilities and particularly aggressive brute-force attacks against Active Directory admin accounts to infect more devices on a compromised network. Even though it’s been around for over a decade, the Qbot malware has mostly been employed in highly focused attacks on business entities since they deliver a better return on investment. Qbot has also been used by several ransomware gangs, including REvil, PwndLocker, ProLock, Egregor, and MegaCortex.
Since Qbot infestations may lead to severe infections and extremely disruptive attacks, IT administrators and security experts should familiarize themselves with the malware, as well as the strategies employed by botnet operators to transmit it to new targets. According to a Microsoft analysis from December 2021, the variety of Qbot attacks makes it difficult to assess the scale of its infestations precisely.