New Qakbot Variant Using Fake Adobe Installer for Evasion

The cyber security landscape is witnessing a concerning evolution of the Qakbot malware, with new iterations being used in email campaigns as early as mid-December. This development signals a persistent effort by the malware’s developers, or individuals with access to its source code, to innovate and enhance its evasion and infection capabilities.

Sophisticated Deception with Fake Adobe Installers

One of the recent variants involves the deployment of a counterfeit installer for Adobe products on Windows systems to dupe users into unwittingly installing the malware, showcasing the lengths to which cyber criminals are willing to go to infiltrate systems.

If the user clicks the X in the small dialog, the malware spawns a dialog that says "Are you sure you want to cancel Adobe installation?"

The malware installs without regard to what you click.

— Sophos X-Ops (@SophosXOps) February 13, 2024

Qakbot, also referred to as QBot, has long been a notorious vehicle for distributing a range of malicious payloads, including ransomware, primarily through email vectors. 

Despite a significant takedown operation named ‘Duck Hunt‘ in August, which disrupted the malware’s network but resulted in no arrests, Qakbot’s infection chain remains unbroken, with over 700,000 systems compromised and financial damages surpassing $58 million in a span of 18 months.

Continued Threat Post-Takedown

Last year, Cisco Talos uncovered a Qakbot campaign that kicked off before the takedown and remained active into early October, despite law enforcement’s efforts, because the spam delivery infrastructure was left intact. 

By December 2023, Microsoft had observed a new phishing operation by QBot, this time impersonating the IRS, which confirmed the malware’s resurgence. Around the same period, Sophos X-Ops identified up to 10 new versions of Qbot, marking a significant uptick in its activity. 

Technical Innovations in Malware Design

According to Sophos researchers, the latest Qakbot samples exhibit refined tactics for evasion, including the use of Microsoft Software Installer (.MSI) files to deploy DLL binaries through .CAB archives, a departure from previous methods that involved hijacking benign Windows processes. 

These variants employ sophisticated obfuscation techniques, such as AES-256 encryption layered over traditional XOR methods, to conceal malicious operations and communication with control servers.

A renewed focus on anti-detection measures is evident, with the malware conducting checks for endpoint protection and virtualized environments, resorting to an infinite loop to avoid detection on virtual machines.

But several of the samples didn't do that: they launched a copy of itself, and then injected the unpacked payload into the copy, instead. pic.twitter.com/emsI1zT5bZ

— Sophos X-Ops (@SophosXOps) February 13, 2024

Adding to the complexity, the malware presents users with a misleading Adobe Setup popup, creating an illusion of a legitimate installation process to trigger the malware’s deployment regardless of the user’s actions.

Final Word

The persistence and innovation of Qakbot developers pose a significant challenge to cybersecurity defenses worldwide. Understanding the evolving tactics and staying informed about the latest detection and prevention strategies are key to mitigating the risks associated with this and similar malware threats.