On 3 August, security researcher Brad Duncan reported a malicious spam (malspam) campaign1 that used compressed Visual Basic Script (VBScript) files to deliver Qakbot malware.
Qakbot, also known as Qbot, is an information stealer (infostealer) that can steal a victim’s credentials, banking information, and files. Qakbot includes worm capabilities that allow it to spread itself to other systems on the same network, as well as rootkit capabilities that help to hide its presence and establish persistence on infected clients.
The malspam emails in this Qakbot campaign used a variety of seemingly unrelated lures that all enticed the recipient to click a link labeled “OPEN THE DOCUMENT”. These links led to compromised websites hosting compressed archives that contained malicious VBScript files. This differs from the last Qakbot campaign we reported on, which used Microsoft OneDrive to host compressed archives that contained malicious Microsoft Word documents.2
When the victim extracts and opens the malicious VBScript contained within the ZIP file, it will download and execute the Qakbot payload. The payload URLs in this campaign used a different filename (8888888.png) than the ones Qakbot used between December 2019 and April 2020 (44444.png and 444444.png). Despite their PNG file extensions, these Qakbot payloads are always Windows executable (EXE) files.
When Qakbot is executed, it remains inactive for a variable number of minutes in order to evade sandbox detection. Once active, it opens an instance of explorer.exe and injects the QakBot dynamic link libraries (DLLs) into the process. It then attempts to cover its tracks by overwriting the original contents of the malware with one of several legitimate Windows executables.
Once Qakbot finishes trying to cover its tracks, it creates a registry entry that will automatically launch the malware every time the computer boots up. It also creates recurring tasks to ensure that the malware is still running and has not been removed.
After establishing persistence, Qakbot begins to steal the victim’s information and transmits the stolen data to its command and control (C2) servers. It also attempts to spread itself to other systems via network shares and removable drives.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.