The operators of the Qakbot malware (also known as QBot, QuackBot and Pinkslipbot) have changed their tactics and are now intercepting e-mail correspondence to download malicious DLL libraries and embed code into web pages to steal passwords.
According to experts from Sophos, the malware collects a wide range of profile information from infected systems, including information about all configured user accounts, permissions, installed software, running services, etc.
Qakbot is a modular multi-purpose botnet distributed by email, which is becoming increasingly popular among attackers as a network for distributing malware such as Trickbot and Emotet.
During the current malicious campaign, Qakbot operators introduced malicious messages into existing e-mail correspondence. The messages contained a short sentence and a link to download a zip file with a malicious Microsoft Excel spreadsheet.
As soon as Qakbot infects a target, it scans the device, collects information and sends it to the command server. Then the botnet installs at least three more malicious modules:
-
A module that implements password theft code into web pages;
-
A module that scans the network and collects data about other systems nearby;
-
A module that defines the addresses of SMTP mail servers (Simple Mail Transfer Protocol) for the purpose of connecting and further sending spam.