TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Threat Advisory: Qakbot Activity Is Rising | Huntress

2022-11-22 · Read original ↗

ATT&CK techniques detected

4 predictions
T1055.001Dynamic-link Library Injection
92%
"- it relies on user interaction for its initial execution and early - stage unraveling - it actually doesn ’ t do anything malicious for the middle stage of its activities except mount and unravel folders - the “ middle stage ” activities are updated regularly, turning reliable d…"
T1204.002Malicious File
84%
"threat advisory : qakbot activity is rising | huntress qakbot has been spreading like wildfire. huntress has seen a 400 % increase in qakbot cases in the past two months ( several hundred incidents ) in comparison to numbers from all of 2022 spread out over our 1. 8 million prote…"
T1218.010Regsvr32
72%
"##g ` regsvr32 gaffes \ twinkle. dll ` ( utilising regsvr32 ) - cmd. exe / c control. exe ( utilising dll sideloading ) 2. one way qakbot launches is by mounting an iso — but you can limit this capability by editing the registry. we have seen qakbot launch by mounting an iso or v…"
T1204.002Malicious File
46%
"then unzip and interact with the. lnk ( windows shortcut ), which mounts an iso, where qakbot then begins its malicious execution and persistence. prevention is key to keeping this threat in check. - minimize your or your clients ' attack surface by using an email filtering syste…"

Summary

We're seeing a rise in Qakbot activity. Here's what you need to know to keep your environments safe.