Sophos has published a technical deep dive into Qakbot, explaining how the botnet is becoming more advanced and dangerous to organisations.
In a new article, “Qakbot Injects Itself into the Middle of Your Conversations”, Sophos researchers detail a recent Qakbot campaign that shows how the botnet spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services and more. The botnet then downloads a series of additional malicious modules that enhance the functionality of the core botnet, according to Sophos.
Qakbot’s malware code features unconventional encryption, which it also uses to conceal the content of its communications.
According to Sophos, it decrypted the malicious modules and decoded the botnet’s command and control system to interpret how Qakbot receives instructions.
Qakbot is a modular, multipurpose botnet spread by email that has become increasingly popular with attackers as a malware delivery network, like Trickbot and Emotet, Andrew Brandt, principal threat researcher at Sophos further explained.
“Sophos’ deep analysis of Qakbot reveals the capture of detailed victim profile data, the botnet’s ability to process complex sequences of commands and a series of payloads to extend the functionality of the core botnet engine.