Qakbot returns — devious new malware tricks victims by using a fake Adobe installer
New variants of Qakbot are upon us
The infamous Qakbot malware is back, and sporting some interesting improvements, experts have warned.
Cybersecurity researchers from Sophos have observed new distribution campaigns for Qakbot, the malware now comes with a fake Windows installer. Once the victim clicks on the malware, it displays a bogus installer for an Adobe product.
The installer looks suspicious to begin with, displaying nothing but the words “Adobe Setup”. Clicking on the X button to terminate the process, the installer asks “Are you sure you want to cancel Adobe installation?” as it tries to trick the user into thinking the process is legitimate. The worst part is - it doesn’t matter what the victim clicks. In every scenario, the malware is installed - as the prompt only serves as a distraction.
Back with a vengance
Other notable improvements include enhanced obfuscation techniques, such as advanced encryption which hides strings and C2 communications. Besides the XOR encryption method that was observed in earlier variants, the new Qakbot versions also use AES-256 encryption.
Finally, the malware analyzes the endpoint for antivirus solutions and other protection tools, and checks for virtualized environments. If it deems it was installed in a sandbox, it will enter an infinite loop.
Qakbot was severely disrupted in the summer of 2023, when US law enforcement agencies took down its infrastructure during Operation Duck Hunt. However, as no arrests were made at the time, researchers concluded that it was only a matter of time before Qakbot’s operators sprung back into action.
Indeed, in December last year, Microsoft reported on a new phishing campaign distributing Qakbot and now Sophos says that up to 10 new malware builds were made since then.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Still, it is impossible to know if the new variants were developed by the same people that built the original Qakbot, or if a different threat actor obtained the source code and started experimenting with fresh builds.
Via BleepingComputer
More from TechRadar Pro
- Qakbot malware returns, despite the FBI saying it took it out
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.