The owners of the Qbot botnet are changing things up.  The botnet’s normal Modus Operandi for distributing their signature Qbot malware has been to push their malicious code via phishing emails which contain Microsoft Office documents laden with poisoned macros. More recently though, the group behind the botnet has switched to phishing emails carrying password-protected ZIP files which contain malicious MSI Windows Installer packages.

It’s the first time we’ve seen this tactic from Qbot and no one is sure what drove the change. The best theory put forward so far is that the tactical shift is a response to a recent announcement by Microsoft to disable Excel 4.0 macros by default. This was done in a bid to shut down macros as a possible delivery system.  If so, it demonstrates the incredible nimbleness and responsiveness of the hacking world.

Microsoft began rolling out a new VBA autoblock feature for Microsoft Office in April 2022.

Microsoft had this to say about the matter:

“Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros.

It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly.”

Qbot can best be described as a modular Windows banking trojan that spreads like a worm.  It has been active for more than a decade and the people who control the malicious code have targeted several high-profile corporate entities, seeking the biggest bang for their buck.

Over the years, several large and well-organized gangs of hackers, including MegaCortex, PwndLocker, and REvil have leveraged Qbot to breach corporate networks.  Although Microsoft’s recent moves have made it harder for the botnet to operate, it’s clear that they are adapting.