Creative QakBot Attack Tactics Challenge Security Defenses

Written by

QakBot was one of the most active malware families in Q2 of 2023, according to the latest HP Wolf Threat Insights Report.

An analysis by the company noted that the cyber-criminals are diversifying attack methods to bypass security policies and detection tools, one example of this is using “building blog style attacks” to carry out these campaigns.

Typically, attack chains are formulaic, with well-trodden paths to the payload, the company noted in a statement.

However, creative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques, they were able to bypass detection tools and security policies, according to the company. A total of 32% of the QakBot infection chains analyzed by HP in Q2 were unique.

Based on this, HP Wolf recommended that network defenders check that their email and endpoint defenses are geared up to defend against the many permutations of QakBot spam.

Dr Ian Pratt, global head of security for personal systems at HP Wolf, commented: “While infection chains may vary, the methods of initiation remain the same – it inevitably comes down to the user clicking on something. Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”

The report also found that attackers behind recent Aggah campaigns hosted malicious code within popular blogging platform, Blogspot.

By hiding the code in a legitimate source, it makes it harder for defenders to tell if a user is reading a blog or launching an attack. Threat actors then use their knowledge of Windows systems to disable some anti-malware capabilities on the users’ machine, execute XWorm or the AgentTesla Remote Access Trojan (RAT), and steal sensitive information, according to HP Wolf.

The firm also identified other Aggah attacks using a DNS TXT record query – typically used to access simple information on domain names – to deliver the AgentTesla RAT. Threat actors know the DNS protocol is not often monitored or protected by security teams, making this attack extremely hard to detect.

Finally, the company highlighted that it had identified a recent campaign that used multiple programming languages to avoid detection.

HP Wolf’s analysis is based on data anonymously gathered within HP Wolf Security customer virtual machines from April-June 2023.

What’s hot on Infosecurity Magazine?