QakBot returning with a vengeance an IR Overview

Aight y’all, QakBot is a malware that is used by cybercriminals to steal sensitive information, such as passwords, credit card numbers, and banking information. It is one of the most active malware families in 2023, and it is constantly evolving to evade detection.

One of the ways that QakBot is spreading is through "building blog style attacks." This involves hosting malicious code within popular blogging platforms, such as Blogspot. When users visit these blogs, they may be tricked into clicking on a link or downloading an attachment that contains the QakBot malware.

Once QakBot is installed on a computer, it can steal sensitive information by monitoring keystrokes, taking screenshots, and accessing files. It can also spread to other computers on the same network.

Here are some additional things to keep in mind about QakBot:

• It is often delivered through phishing emails that contain malicious attachments or links.

• It can also be spread through drive-by downloads, which occur when a user visits a website that is infected with QakBot.

• QakBot is a modular malware, which means that it can be customized to target specific victims or organizations.

Here are some things that you can do to protect yourself from QakBot:

• Be careful about what links you click on and what attachments you open.

• Keep your software up to date, including your operating system, web browser, and antivirus software.

• Use a firewall to protect your computer from unauthorized access.

• Be aware of the latest cybersecurity threats and educate yourself about how to protect yourself.

• Use a password manager to create and store strong passwords for all of your online accounts.

• Enable two-factor authentication for all of your online accounts that offer it.

• Be suspicious of any emails that you receive from unfamiliar senders or that contain attachments or links that you are not expecting.

• If you think that you may have been infected with QakBot, there are a few things that you can do:

  • Isolate the infected computer from the rest of your network.

  • Run a full scan of your computer with antivirus software.

  • Change your passwords for all of your online accounts.

  • Report the infection to the authorities.

QakBot is a serious threat, but there are steps that you can take to protect yourself. By being careful and staying informed, you can help to keep your computer safe from this malware.

Qbot indicators of compromise (Not an complete list)

MD5

PDF files
253E43124F66F4FAF23F9671BBBA3D98 (https://opentip.kaspersky.com/253E43124F66F4FAF23F9671BBBA3D98/results?tab=lookup)
39FD8E69EB4CA6DA43B3BE015C2D8B7D (https://opentip.kaspersky.com/39FD8E69EB4CA6DA43B3BE015C2D8B7D/results?tab=lookup)

ZIP archives
299FC65A2EECF5B9EF06F167575CC9E2 (https://opentip.kaspersky.com/299FC65A2EECF5B9EF06F167575CC9E2/results?tab=lookup)
A6120562EB673552A61F7EEB577C05F8 (https://opentip.kaspersky.com/A6120562EB673552A61F7EEB577C05F8/results?tab=lookup)

WSF files
1FBFE5C1CD26C536FC87C46B46DB754D (https://opentip.kaspersky.com/1FBFE5C1CD26C536FC87C46B46DB754D/results?tab=lookup)
FD57B3C5D73A4ECD03DF67BA2E48F661 (https://opentip.kaspersky.com/FD57B3C5D73A4ECD03DF67BA2E48F661/results?tab=lookup)

DLL
28C25753F1ECD5C47D316394C7FCEDE2 (https://opentip.kaspersky.com/28C25753F1ECD5C47D316394C7FCEDE2/results?tab=lookup)

Malicious links

ZIP archive
cica.com.co/stai/stai.php (https://opentip.kaspersky.com/cica.com.co%2Fstai%2Fstai.php/?tab=lookup)
abhishekmeena.in/ducs/ducs.php (https://opentip.kaspersky.com/abhishekmeena.in%2Fducs%2Fducs.php/?tab=lookup)

DLL
rosewoodlaminates.com/hea/yWY9SJ4VOH (https://opentip.kaspersky.com/rosewoodlaminates.com%2Fhea%2FyWY9SJ4VOH/?tab=lookup)
agtendelperu.com/FPu0Fa/EpN5Xvh (https://opentip.kaspersky.com/agtendelperu.com%2FFPu0Fa%2FEpN5Xvh/?tab=lookup)
capitalperurrhh.com/vQ1iQg/u6oL8xlJ (https://opentip.kaspersky.com/capitalperurrhh.com%2FvQ1iQg%2Fu6oL8xlJ/?tab=lookup)
centerkick.com/IC5EQ8/2v6u6vKQwk8 (https://opentip.kaspersky.com/centerkick.com%2FIC5EQ8%2F2v6u6vKQwk8/?tab=lookup)
chimpcity.com/h7e/p5FuepRZjx (https://opentip.kaspersky.com/chimpcity.com%2Fh7e%2Fp5FuepRZjx/?tab=lookup)
graficalevi.com.br/0p6P/R94icuyQ (https://opentip.kaspersky.com/graficalevi.com.br%2F0p6P%2FR94icuyQ/?tab=lookup)
kmphi.com/FWovmB/8oZ0BOV5HqEX (https://opentip.kaspersky.com/kmphi.com%2FFWovmB%2F8oZ0BOV5HqEX/?tab=lookup)
propertynear.co.uk/QyYWyp/XRgRWEdFv (https://opentip.kaspersky.com/propertynear.co.uk%2FQyYWyp%2FXRgRWEdFv/?tab=lookup)
theshirtsummit.com/MwBGSm/lGP5mGh (https://opentip.kaspersky.com/theshirtsummit.com%2FMwBGSm%2FlGP5mGh/?tab=lookup)

References:

https://www.infosecurity-magazine.com/news/creative-qakbot-attack-tactics/

ThreatConnect