Creative QakBot Attack Tactics Challenge Security Defenses
Q2 2023 Sees Active QakBot Malware, Evolving Attack Methods Revealed in HP Wolf Threat Insights Report
According to the latest HP Wolf Threat Insights Report, QakBot emerged as one of the most prolific malware families in Q2 2023. HP's analysis underscored a notable shift in cybercriminal tactics aimed at outsmarting security measures and detection tools. An illustrative example involves the utilization of 'building blog style attacks' for executing campaigns.
Traditionally, attack sequences follow established patterns leading to the payload. However, innovative QakBot campaigns showcased threat actors constructing distinct infection chains by interconnecting various elements. This approach involved altering file formats and techniques to evade security protocols and tools, resulting in 32% of QakBot infection chains during Q2 being unique.
In light of these findings, HP Wolf advised network defenders to fortify their email and endpoint defenses against the manifold variations of QakBot spam. Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Wolf, emphasized the centrality of user engagement in the initiation of infection chains. He recommended focusing on curtailing risky activities such as engaging with email attachments, hyperlinks, and browser downloads, rather than attempting to anticipate specific infection routes.
The report further disclosed instances of Aggah campaigns where attackers embedded malicious code within the widely used blogging platform, Blogspot. Concealing the code within a legitimate source complicates the differentiation between ordinary blog browsing and malicious activity. Exploiting their understanding of Windows systems, threat actors neutralized certain anti-malware capabilities on victims' devices. Subsequently, they deployed the XWorm or AgentTesla Remote Access Trojan (RAT) to pilfer sensitive data.
Recommended by LinkedIn
Moreover, HP Wolf identified additional Aggah attacks exploiting a DNS TXT record query—a conventional method for accessing basic domain name information—to distribute the AgentTesla RAT. This strategy capitalizes on the relative lack of monitoring or safeguarding of the DNS protocol by security teams, rendering detection of such attacks challenging.
The report culminated by highlighting a recent campaign that harnessed multiple programming languages to obfuscate its activities and avoid detection.
For Further Reference
