BleepingComputer reports that operators of the Qbot botnet, also known as Qakbot, Quakbot, and Pinkslipbot, have begun leveraging phishing emails with malicious MSI Windows Installer package-laced ZIP archive attachments to spread malware instead of the traditional approach of malware distribution through phishing emails containing Microsoft Office documents with malicious macros.
The change in Qbot's tactics may be due to Microsoft's plans to end VBA Office macro-based malware delivery in February and the deactivation of Excel 4.0 XLM macros in January, according to security researchers, including Intel471 Senior Threat Hunter Joseph Roosen. VBA macro autoblock has been released to Office for Windows users since early this month.
"Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros. It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly," said Microsoft in December.