On 8 April, security researcher Brad Duncan reported a malicious campaign that used Microsoft OneDrive to host compressed Microsoft Word documents with malicious macros that delivered Qakbot malware.1
Qakbot, also known as Qbot, is an information stealer that can steal a victim’s credentials, banking information, and files. Qakbot includes worm capabilities that allow it to spread itself to other systems on the same network, as well as rootkit capabilities that help to hide its presence and establish persistence on infected clients.
When the victim extracts and opens the malicious Word document contained within the ZIP file, they are presented with a message instructing them to enable macros. Once enabled, these macros will download and execute the Qakbot payload. Since December 2019, Qakbot payload URLs have ended with one of two filenames: 44444.png or 444444.png.2 Despite their PNG file extensions, these Qakbot payloads are always Windows executable (EXE) files.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.malware-traffic-analysis.net/2020/04/08/index.html
- https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/
