US State Agency Hit by QakBot Malware

Delaware, USA – February 8, 2019 – A new spam campaign spreading a banking trojan was reported by Cofense researchers. The notorious Emotet botnet is now delivering more advanced malware targeting the US governmental institution. The campaign to deliver the QakBot malware performed typically of Emotet behavior delivering the destructive Office document with macros and covered things up by altering the binary of a legitimate app, calc.exe this time. However, the payload came as a surprise by delivering not only the QakBot banking trojan but also IcedID undercovered as an invoice. The attached macro comes with blurring features as well as the .exe file size verification. After downloading the malware changes its name and hides into the /Temp directory, runs checkouts and spreads itself throughout the system.

The current campaign comes back as an updated and fine-tuned version of the previous Emotet activity aiming to get on to the US state agency staff. In the past, adversaries have already used QakBot not only to steal data but also to paralyze the work of companies due to its worm-like capabilities and modular structure. Shifting away from information stealing, Emotet is steadily gaining ground as a malware-spreading tackle to deliver the 3rd party infections. Keep your infrastructure safe with Sigma rules detecting these threats.

QakBot Detector (Sysmon): https://tdm.socprime.com/tdm/info/1457/
Emotet Trojan detector: https://tdm.socprime.com/tdm/info/1279/