Qbot malware found smuggled inside Windows Installer packages

Crooks are adapting to Microsoft’s changes

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Qbot botnet operators are no longer distributing themalwarevia weaponizedMicrosoftOffice documents. Instead, they’re opting for maliciousMSIWindows Installer packages.

Cybersecurity researchers see this as a “direct reaction” to Microsoft’s move to prevent malware being delivered via Office macros.

Qbot, or Quakbot, is a Windows banking trojan that’s been roaming in the wild for more than a decade. Threat actors usually use it to steal banking login information, as well as personal and other identity-related data. It can also be used as a dropper that distributes Cobalt Strike on compromisedendpoints.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Macros disabled since January

Among the threat actors usually deploying Qbot are REvil, Egregor, and MegaCortex, all of which usually target companies, rather than individuals.

In late January this year, Microsoft made a major move, in a bid to discourage criminals from using Office files to distribute malware - it disabled Excel 4.0 (XLM) macros by default.

Back in July 2021, the company released a new Excel Trust Center setting option, allowing administrators to restrict the usage of Excel 4.0 (XLM) macros. It has since made this option default for everyone.

Excel 4.0 (XLM) macros were the default format until 1993, and even though they’ve since been discontinued, they can still be run by the latest versions of the Office program. That makes them ideal for threat actors, who’ve been abusing them to push malware such as TrickBot, Zloader, Qbot, Dridex,ransomware, and many other malicious programs.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Fujifilm taken down by serious ransomware attack>This notorious malware has returned after months away>Microsoft Excel is making a big change to protect against malware

Administrators can use existing Microsoft 365 applications policy control to configure this setting. The Group Policy setting “Macro Notification Settings” for Excel can be found in the following path and registry key:

Group Policy Path: User configuration > Administrative templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center.

Registry Key Path: Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\excel\security

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call