Security researchers have discovered that hackers are turning QBot and IcedID into malspam campaigns. QBot and IcedID are banking trojans which often appear to distribute various ransomware strains as the final payload in an attack.
Earlier this year, researchers spotted a malicious email campaign sending Office documents distributing the QBot trojan. In February, IcedID was the new malware that came from URLs used by its service QBot (or Qakbot). The Brad Duncan from Palo Alto Networks observed the alternation of the two trojans in the context of malicious campaigns. Specifically, Duncan noted the following:
"The HTTPS URL created by the Excel macro ends with /ds/2202.gif which we would normally distribute Qakbot, but today distribute IcedID".
The security researcher James Quinn of Binary Defense also noticed this tactic, citing it in a blog post announced in March, as the company discovered a new variant of IcedID / BokBot watching a malspam campaign from a QakBot distributor.
IcedID launched as a banking trojan in 2017 and adjusts its functionality to distribute malware. According to researchers, IcedID has distributed the in the past RansomExx, Maze and Egregor ransomware. After a month and a half, QBot (ie QakBot), it was observed that it distributed the ProLock, Egregor and DoppelPaymer ransomware.
The malware researcher and reverse engineer reecDeep detected this change on April 12, emphasizing that the malicious campaign is based on updated XLM macros.
As shown in the screenshot above, the malicious Office file appears as a document DocuSign to trick users into allowing macro support that delivers payload to the system. The same trick is shown in the analysis by both Binary Defense and Brad Duncan regarding the transition of the malware distributor to the IcedID distribution in February 2021.
Recently, security researchers from the company threat intelligence Intel 471 published information about EtterSilent, a malicious document creation program that is gaining popularity due to its continuous development and its ability to bypass many security mechanisms (Windows Defender, AMSI, email services). A feature of this tool is that it can create malicious documents that look like DocuSign or DigiCert protected files that require user interaction to decrypt.
According to Intel 471, many hacking gangs have started using EtterSilent services, including IcedID, QakBot, Ursnif and Trickbot.
Speaking to Bleeping Computer about the recent move to QakBot, James Quinn confirmed the campaigns, saying all the evidence points to "a fairly large update for QakBot" accompanied by changed encryption algorithms for the internal configuration.
Source of information: bleepingcomputer.com