[ad_1]
Although over the past few years, Microsoft has done a commendable job in taking steps to combat malware and prevent its havoc, including the recent ban on macros from running in Office files downloaded from the internet, it looks like threat actors always find a way as the notorious Qbot malware has now evolved to remain effective against Microsoft’s latest tactic.
According to research conducted by Black Lotus Labs, the Qbot malware, which initially started as a banking trojan over a decade ago, has quickly adapted its distribution network, deployment methods, and command and control (C2) server in response to Microsoft’s changes. Additionally, threat actors have also introduced new techniques for initial access in phishing campaigns, such as using malicious OneNote files, Mark of the Web evasion, and HTML smuggling.
“Qakbot has shown resilience by employing a resourceful approach in building and developing its architecture..it demonstrates technical expertise by employing various initial access methods and maintaining a robust yet evasive residential C2 architecture,” reads the report.
Greater adaptability
Besides the new deployment methods, the Qbot operators have modified how they manage their C2 servers, as instead of relying on hosted virtual private servers (VPS), threat actors now hide the C2 servers within compromised web servers and hosts in residential IP spaces. Although this approach results in a shorter lifespan for servers, hackers can quickly obtain new ones. Approximately 90 new C2 servers are brought up every week during a spam cycle.
Furthermore, converting bots into C2 servers is crucial to Qbot’s operations. This is because over 25% of these servers are active for a day, and half do not survive beyond a week. Therefore, converted bots play a vital role in replenishing the C2 server supply.
To make matters worse, the report states that the malware will persist as a significant threat for the foreseeable future. “There are currently no signs of Qakbot slowing down.”
[ad_2]
Source link