Qbot Botnet Spotted Spreading through Windows Installer Packages

Security researchers recently noticed the Qbot malware strain spreading as password-protected archive attachments in phishing emails that harbor malicious MSI Windows Installer packages.

Using MSI Windows Installer packages as an infection vector is a first for Qbot operators, known to deliver payloads via malicious macro-laced Microsoft Office attachments in phishing emails.

Experts believe this shift occurred in response to Microsoft’s plan to neutralize Office macro malware delivery by disabling VBA macros by default. The tech giant announced in February that it’s taking steps to disable Visual Basic for Applications (VBA) macros by default in various products, mainly Office suite ones, to fend off attacks that use it as a vector.

Qbot is a banking trojan notorious for stealing financial data, credentials, keystrokes and browser information. Also known as Qakbot, Pinkslipbot and Quakbot, it was initially developed to steal financial data and hit financial institutions. Nowadays, threat actors deploy it against a broader range of targets, including individual users and non-financial organizations.

Qbot is also historically a hacker-favorite to deploy Cobalt Strike beacons and drop backdoors on infected systems. However, security experts noticed that perpetrators could skip this route and plant Cobalt Strike beacons directly on afflicted devices.

Several notorious ransomware gangs, such as Egregor, REvil, MegaCortex, ProLock and PwndLocker, previously relied on Qbot to compromise corporate networks. The viciousness of this malware strain emanates from its incredible versatility.

Perpetrators use various techniques and tactics to deploy payloads on vulnerable systems. Still, most of the time, Qbot infects systems through phishing campaigns or as a result of a separate malware infection.

To avoid infection with Qbot, users should turn to solid security software solutions, such as Bitdefender Total Security, which can shield against malware and cyberattacks. Users should also avoid enabling content on incoming files, especially if the sender is unknown or suspicious.