QBot/QakBot Malware: How does it work?

Qbot, also known as "QakBot,” is malware originally designed as a banking trojan to steal financial information. Its modular design enables it to transport and install malicious software on computers in a variety of ways. QakBot attacks result in a massive botnet of compromised machines under the adversary's or attackers' control.

Qbot spreads via email with unusual attachments. The email or infected email is usually distributed through phishing, spam, or compromised accounts. This would trick the user into opening the email and downloading the attachments.

I will illustrate some sample cases of how Qbot gets activated, which are as follows:

Case 1: The file is distributed via email and Qbot activates via PowerShell

The initial access begins by sending out the deceiving email, which appears to be a legitimate email. Once the email is opened, the associated disguising file, such as a batch file (*.bat), a Windows script file (*.wsf), a Javascript file (*.jse), or an embedded HTML file (*.HTA), will be dropped on the system/host. The scripts, as mentioned earlier, download the DLL file, copy it to the “tmp” folder, and execute using "rundll32.exe.”

Note:

Rundll32.exe is a…