Recent investigations into the Qakbot malware, often described as a multi-faceted threat, have revealed its infection strategies, segmented into distinct components. Microsoft has characterized these “building blocks” as vital for the proactive detection and neutralization of this threat, aiming to enhance cybersecurity measures significantly.
The Microsoft 365 Defender Threat Intelligence Team has referred to Qakbot as a “customizable chameleon,” emphasizing its adaptability to the varied tactics employed by different cybercriminal groups. This adaptability enables Qakbot to operate effectively across numerous environments, posing serious risks to organizations worldwide.
Originating in 2007, Qakbot’s creators are widely attributed to a financially-driven cybercriminal collective known as Gold Lagoon. Initially developed as a banking trojan, Qakbot has transformed into a sophisticated tool for data theft and a delivery system for additional malware, including ransomware. Its deployment as installation-as-a-service allows it to act as a precursor to extensive ransomware incidents.
Noteworthy is Qakbot’s tactic of hijacking legitimate email conversations through an Email Collector component, utilizing these threads as phishing bait to compromise additional systems. The researchers from Trend Micro recently elaborated on how exploiting IMAP services and email service providers enhances the attacker’s ability to deceive victims by leveraging established trust relationships.
Analysis over a seven-month period has shown that various sectors, including telecommunications and technology, have been heavily targeted, with countries such as the U.S., Japan, and Germany among the most affected. These findings illustrate the global scale and significant impact of Qakbot campaigns.
In recent months, attackers have also utilized new loaders like SQUIRRELWAFFLE to facilitate initial breaches into enterprise networks. This technique allows for the introduction of malicious payloads like Qakbot, as well as further sophisticated threats such as Cobalt Strike.
The methodology behind Qakbot’s operation includes a variety of tactics to achieve initial access, such as sending infected email attachments or containing embedded images that redirect users to malicious sites. After gaining access, attackers typically engage in credential theft, email exfiltration, and lateral movements within the network, guided by the MITRE ATT&CK framework which outlines the various adversary tactics deployed during such engagements.
Once inside, attackers often deploy additional payloads or sell access to other malicious actors, a tactic that has become increasingly prevalent among cybercriminals. A report from Proofpoint indicated a growing trend of ransomware groups purchasing access from previously compromised organizations, thus expanding their reach and capabilities.
Qakbot’s modular design presents a challenge for cybersecurity professionals as it enables varied attack methods that can differ greatly from one instance to another. This unpredictability necessitates a comprehensive understanding of Qakbot to formulate an effective defensive strategy, as emphasized by researchers who warn of the threat’s potential to evolve and adapt constantly.
