The neverending adaptability of this threat is key to its long-term survival and success.
“Qakbot operators tend to reduce or stop their spamming attacks for long periods of time on a seasonal basis, returning to activity with a modified suite of tools,” Chris Formosa and Steve Rudd, researchers with Lumen’s Black Lotus Labs, have noted.
Qakbot primarily spreads through email hijacking and social engineering tactics.
Once it has secured its presence on target machines, it steals user credentials, establishes backdoors, and provides unauthorized access to those machines to other cybercriminals. It is known for delivering additional malware and ransomware to Windows hosts.
“Qakbot alternates its means of initial entry to stay ahead of tightening security policies and evolving defenses,” the researchers explained.
It previously leveraged Microsoft Office documents to gain access, but when Microsoft announced it will be blocking macros in files from the internet, it shifted to using malicious OneNote files, Mark of the Web evasion and HTML smuggling techniques.