skip to Main Content

Cybercrime, Quakbot exploits Microsoft Defender to spread

Bleeping Computer: Microsoft Defender is the last cybercrime’s lure to spread QuakBot (Qbot)

Cybercrime actors use a new template to distribute QuakBot (Qbot) botnet. It exploits a fake Windows Defender Antivirus theme to lure victoms into enabling Excel macros. It has been discovered by Bleeping Computer cybersecurity experts. The malware is spread via malspam campaigns with malicious .xls attachments. If opened, they will prompt a user to “Enable Content”, so that macros will run to install Qbot on a victim’s computer. To trick a user into clicking the “Enable Content” button, threat actors use stylized document templates that pretend to be from a trustworthy organization or from the operating system. On August 25th, the Qbot switched to a new template that pretends to be an alert from Windows Defender Antivirus, claiming that the document is encrypted. To decrypt the document, users need to click on ‘Enable Editing’ or ‘Enable Content’ to decrypt it using the ‘Microsoft Office Decryption Core.

The cyber security experts: Threat actors continue exploiting signed campaign to distribute the malware

Furthermore, cybercrime actors count on “signed” campaigns to spread Quakbot. The objective is to decept the anti virus and let the victims download and install the malicious file through the attachment, exploiting company certificates to sign the executable. The criminal hackers still today use organizations from different countries in malspam signed campaigns to infect victims with the malware. It’s a modular banking trojan known to target businesses to steal money from their online banking accounts. It features worm capabilities to self-replicate through shared drives and removable media. The code uses powerful information-stealing features to spy on users’ banking activity.

Back To Top