Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-
Login credentials
Financial data
While hackers exploit Qakbot to conduct:-
Financial fraud
Unauthorized transactions
Gain access to personal data
Gain access to financial information
Qakbot malware returns after the “Duck Hunt” bust. Not only that, even Microsoft has found small-scale phishing targeting the hospitality sector since Dec 11, 2023.
Microsoft discovery of Qakbot resurface (Source – K7)
Though all these phishing emails are low now, researchers at K7 Security Labs affirmed to expect an email volume surge due to Qakbot’s history.
Cybersecurity researchers at K7 Security Labs recently discovered that hackers use weaponized PDF files to deliver Quakbot malware.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/ display: none; /
}
Free Webinar
Fastrack Compliance: The Path to ZERO-Vulnerability
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Register for Free
PDF Files to Deliver Qakbot Malware
In a recent phishing campaign, researchers identified threat actors actively delivering malicious MSI files via PDFs. Further, the analysis uncovers a patched IDM DLL housing Qakbot, which is found to be using a custom packer.
Besides this, unpacking the Qakbot DLL involves breakpoints on:-
VirtualAlloc()
VirtualProtect()
Initially, experts obtained the dump without the MZ header, and later, they identified it as Qakbot’s second-stage loader by adding the header manually. This technique helps the threat actors avoid EDR detection by avoiding MZ header scans.
Execution Flow (Source – K7)
In the new Qakbot campaign, security researchers noted AES encryption for victim info storage, yet the final payload retains RC4 encryption. The dynamic analysis discreetly exposes an MSI-installed temp file invoking rundll32.exe.
The threat actor leveraging the PDFs self-copies the DLL as AcrobatAC.dll and then executes the Qakbot via EditOwnerInfo.
The malicious DLL suspends the wermgr.exe (Windows Error Manager) as part of the kill chain. Besides this, the experts also extracted the Qakbot payloa d by dumping the PE file from the suspended wermgr.exe, which reveals the use of process hollowing.
Qakbot pretends to be wermgr.exe and tries to establish a covert C2 connection , however, the C2 which is inactive during analysis stops the further malicious actions.
IoCs
IoCs (Source – K7 ) Try Kelltron’s cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems
The post Hackers Using Weaponized PDF Files to Deliver Qakbot Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...