Once considered a simple information stealing worm, Qakbot has evolved into one of the top quality malware droppers for many cyber attack campaigns. Following the likes of TrickBot, quirky Qakbot is often paired up with post compromise attack platforms such as Cobalt Strike. Likewise, it is not uncommon for devices infected with Qakbot to ultimately be further contaminated with ransomware, including Egregor, as highlighted in the recent Insikt Group report, Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot (covered in Tuesday’s Security & Resilience Update). In that same post on Tuesday, we also offered the reminder of the correlation to the WaterISAC Advisory for the ransomware attack at a large metropolitan water utility.

So, what’s Qakbot quietly up to?

While Qakbot coverage is not unique for our Security & Resilience Updates, given its nexus to recent water and wastewater sector activity, its new technique bears quoting. On November 24, analysts at Binary Defense detected a major version update to Qakbot’s loader and bot, combining the loader and bot into one file – essentially reducing its system footprint to minimize detection. This updated version is using a newer and stealthier persistence mechanism that takes advantage of system shutdown and resume messages to toggle persistence on infected devices. Visit BleepingComputer for the complete overview.

PS.

As a reminder, the Insikt Group research mirrors much of the information highlighted in the aforementioned WaterISAC Advisory. And if you have not already, members are highly encouraged to read the report at Recorded Future for greater awareness and understanding of observed behavior to help protect against the multiple tactics of this active and aggressive threat.