Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions.
This sophisticated malware steals sensitive information such as:-.
Not only that, even Microsoft has found small-scale phishing targeting the hospitality sector since Dec 11, 2023.
Though all these phishing emails are low now, researchers at K7 Security Labs affirmed to expect an email volume surge due to Qakbot's history.
Cybersecurity researchers at K7 Security Labs recently discovered that hackers use weaponized PDF files to deliver Quakbot malware.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
In a recent phishing campaign, researchers identified threat actors actively delivering malicious MSI files via PDFs. Further, the analysis uncovers a patched IDM DLL housing Qakbot, which is found to be using a custom packer.
Unpacking the Qakbot DLL involves breakpoints on:-.
Initially, experts obtained the dump without the MZ header, and later, they identified it as Qakbot's second-stage loader by adding the header manually.
This technique helps the threat actors avoid EDR detection by avoiding MZ header scans.
In the new Qakbot campaign, security researchers noted AES encryption for victim info storage, yet the final payload retains RC4 encryption.
The dynamic analysis discreetly exposes an MSI-installed temp file invoking rundll32.
The threat actor leveraging the PDFs self-copies the DLL as AcrobatAC.dll and then executes the Qakbot via EditOwnerInfo.
The experts also extracted the Qakbot payload by dumping the PE file from the suspended wermgr.
Exe and tries to establish a covert C2 connection the C2 which is inactive during analysis stops the further malicious actions.
Try Kelltron's cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.
This Cyber News was published on gbhackers.com. Publication date: Wed, 10 Jan 2024 07:13:04 +0000