reports that cyberattackers have begun leveraging the Qakbot banking trojan to deploy numerous ransomware variants.
Qakbot's modular nature has enabled attackers to launch attacks that are difficult to detect, remove, and prevent. Qakbot primarily uses email attachments, links, and images to deliver payloads, although Visual Basic for Applications and legacy Excel 4.0 macros are also being leveraged for machine infection, according to a report from the Microsoft 365 Defender Threat Intelligence Team. Microsoft added that Qakbot also seeks to move laterally across networks, use Cobalt Strike, and spread ransomware.
"Qakbot has a Cobalt Strike
module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads... Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor," said Microsoft.