The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things.
The Qakbot botnet is getting more dangerous, sinking its fangs into email threads and injecting malicious modules to pump up the core botnet’s powers.
On Thursday, Sophos published a deep dive into the botnet, describing how researchers have recently seen it spreading through email thread hijacking – an attack in which malware operators malspam replies to ongoing email threads.
In a recent campaign, Qakbot has also been sucking up system info, Sophos said. “The botnet spreads through email thread hijacking and collects a wide range of profile information from newly infected machines, including all the configured user accounts and permissions, installed software, running services, and more,” according to the writeup, after which the botnet downloads the malicious modules.
The Qakbot malware code uses weird encryption to cover up the contents of its communications, but Sophos researchers managed to decrypt the malicious modules and to decode the botnet’s command and control C2) system to figure out nterpret how Qakbot receives its marching orders.
Qakbot, aka QBot, QuackBot and Pinkslipbot, is a banking