In the first months of the year, researchers noticed a malicious email campaign spreading weaponized Office documents that was delivering QBot trojan, and changing the payload after a short while.

Qbot, also known as “Qakbot” or “Pinkslipbot,” is a banking trojan active since 2007 that’s focusing on stealing user data and banking credentials. The malware has evolved to include new delivery mechanisms, command and control (C2) techniques, and anti-analysis features. While some campaigns deliver Qbot directly, it was delivered as a secondary payload to other prominent malware such as Emotet.

Now, let’ take a look at IcedID, a malware that bears similarities to Emotet by being a modular malware that started its lifecycle as a banking trojan used to steal financial information. This malware has been circulating at increasing rates, thanks to a spate of email campaigns using Microsoft Excel spreadsheet file attachments.

IcedID was recognized as the new malware coming from the URLs that used to serve QBot, and after about a gap of a month and a half, the malware distributor switched the payload back to QBot (a.k.a. QakBot), which has been seen delivering RyukContiMazeEgregor, and ProLock ransomware in the past.

Malware researcher and reverse engineer reecDeep was the one that spotted this specific switch on Monday, concluding the fact that the campaign relies on updated XLM macros.

The malicious Office files are posing as a DocuSign document trying to trick users into enabling macro support for fetching the payload on the system.



An interesting find is the fact that the same trick was seen in the analysis by researchers at Intel 471 regarding the malware distributor’s switch to deliver IcedID in February 2021 about EtterSilent, a malicious document builder that’s been gaining in popularity due to its constant development and ability to bypass several security mechanisms (Windows Defender, AMSI and even email services).

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

One feature of the tool is that it can create malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption.

Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder 

New Microsoft Phishing Campaign Targets Office365 Users

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *