"Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads"

Security researchers have observed the revival of Qakbot as the malware uses email thread hijacking techniques to attack enterprise organizations in order to deploy payloads. A recent Qakbot botnet attack distributed at least three different payloads. These payloads include a web injector for stealing login credentials, a module for identifying the addresses of a dozen Simple Mail Transfer Protocol (SMTP) email servers for additional spam targeting, and an Address Resolution Protocol (ARP) scanning component for profiling victims' networks. The Qakbot malware then collected profile data from victims, such as configured user accounts and permissions, installed software, running services, and more. According to Andrew Brandt, a threat researcher with Sophos, Qakbot is a versatile malware family growing in popularity among various criminal groups. Security teams are urged to take Qakbot infections on their network seriously as well as investigate and remove every trace of the malware. The initial infection vector of the Qakbot attack involved inserting malicious email messages into existing email conversations tailored to the victim's language. It includes a short sentence and a link to download a ZIP file. Email thread hijacking is a tactic that makes the attack more convincing, as some messages ask recipients to read something as soon as possible and attach a document the recipient purportedly needs. Qakbot's malware code and command-and-control (C2) communications are said to be at elaborate levels of obfuscation and encryption. Researchers have also found Qakbot samples delivering Cobalt Strike beacons directly to an infected host before operators leased out the beacons to paying customers. This article continues to discuss the history and recent resurgence of Qakbot. 

Decipher reports "Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads"