Qbot malware found smuggled inside Windows Installer packages

Scott Marlette

3 years ago

Qbot botnet operators are no longer distributing the malware (opens in new tab) via weaponized Microsoft Office documents. Instead, they’re opting for malicious MSI Windows Installer packages.

Cybersecurity researchers see this as a “direct reaction” to Microsoft’s move to prevent malware being delivered via Office macros.

Qbot, or Quakbot, is a Windows banking trojan that’s been roaming in the wild for more than a decade. Threat actors usually use it to steal banking login information, as well as personal and other identity-related data. It can also be used as a dropper that distributes Cobalt Strike on compromised endpoints (opens in new tab).

Macros disabled since January

Among the threat actors usually deploying Qbot are REvil, Egregor, and MegaCortex, all of which usually target companies, rather than individuals.

In late January this year, Microsoft made a major move, in a bid to discourage criminals from using Office files to distribute malware – it disabled Excel 4.0 (XLM) macros by default.

Back in July 2021, the company released a new Excel Trust Center setting option, allowing administrators to restrict the usage of Excel 4.0 (XLM) macros. It has since made this option default for everyone.

Excel 4.0 (XLM) macros were the default format until 1993, and even though they’ve since been discontinued, they can still be run by the latest versions of the Office program. That makes them ideal for threat actors, who’ve been abusing them to push malware such as TrickBot, Zloader, Qbot, Dridex, ransomware (opens in new tab), and many other malicious programs.

Administrators can use existing Microsoft 365 applications policy control to configure this setting. The Group Policy setting “Macro Notification Settings” for Excel can be found in the following path and registry key:

Group Policy Path: User configuration > Administrative templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center.

Registry Key Path: ComputerHKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftOffice16.0excelsecurity

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.