Qakbot returns — devious new malware tricks victims by using a fake Adobe installer

New variants of Qakbot are upon us

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The infamous Qakbotmalwareis back, and sporting some interesting improvements, experts have warned.

Cybersecurity researchers from Sophos haveobservednew distribution campaigns for Qakbot, the malware now comes with a fake Windows installer. Once the victim clicks on the malware, it displays a bogus installer for anAdobeproduct.

The installer looks suspicious to begin with, displaying nothing but the words “Adobe Setup”. Clicking on the X button to terminate the process, the installer asks “Are you sure you want to cancel Adobe installation?” as it tries to trick the user into thinking the process is legitimate. The worst part is - it doesn’t matter what the victim clicks. In every scenario, the malware is installed - as the prompt only serves as a distraction.

Back with a vengance

Other notable improvements include enhanced obfuscation techniques, such as advanced encryption which hides strings and C2 communications. Besides the XOR encryption method that was observed in earlier variants, the new Qakbot versions also use AES-256 encryption.

Finally, the malware analyzes the endpoint for antivirus solutions and other protection tools, and checks for virtualized environments. If it deems it was installed in a sandbox, it will enter an infinite loop.

Qakbot was severely disrupted in the summer of 2023, when US law enforcement agencies took down its infrastructure during Operation Duck Hunt. However, as no arrests were made at the time, researchers concluded that it was only a matter of time before Qakbot’s operators sprung back into action.

Indeed, in December last year,Microsoftreported on a new phishing campaign distributing Qakbot and now Sophos says that up to 10 new malware builds were made since then.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Still, it is impossible to know if the new variants were developed by the same people that built the original Qakbot, or if a different threat actor obtained the source code and started experimenting with fresh builds.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time