Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Qakbot returns — devious new malware tricks victims by using a fake Adobe installer

An abstract image of digital security.

The infamous Qakbot malware is back, and sporting some interesting improvements, experts have warned.

Cybersecurity researchers from Sophos have observed new distribution campaigns for Qakbot, the malware now comes with a fake Windows installer. Once the victim clicks on the malware, it displays a bogus installer for an Adobe product. 

The installer looks suspicious to begin with, displaying nothing but the words “Adobe Setup”. Clicking on the X button to terminate the process, the installer asks “Are you sure you want to cancel Adobe installation?” as it tries to trick the user into thinking the process is legitimate. The worst part is - it doesn’t matter what the victim clicks. In every scenario, the malware is installed - as the prompt only serves as a distraction.

Back with a vengance

Other notable improvements include enhanced obfuscation techniques, such as advanced encryption which hides strings and C2 communications. Besides the XOR encryption method that was observed in earlier variants, the new Qakbot versions also use AES-256 encryption.

Finally, the malware analyzes the endpoint for antivirus solutions and other protection tools, and checks for virtualized environments. If it deems it was installed in a sandbox, it will enter an infinite loop.

Qakbot was severely disrupted in the summer of 2023, when US law enforcement agencies took down its infrastructure during Operation Duck Hunt. However, as no arrests were made at the time, researchers concluded that it was only a matter of time before Qakbot’s operators sprung back into action.

Indeed, in December last year, Microsoft reported on a new phishing campaign distributing Qakbot and now Sophos says that up to 10 new malware builds were made since then.

Still, it is impossible to know if the new variants were developed by the same people that built the original Qakbot, or if a different threat actor obtained the source code and started experimenting with fresh builds.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.