Chapter 9: Qbot Strikes Back: Adapting to Microsoft’s Macro Blocking

Adaptive techniques of Qbot: Overcoming Microsoft’s macro execution block

Qbot, a resilient and cunning malware family, has resurfaced with a new approach in response to Microsoft’s decision to block macro execution. After a period of inactivity, Qbot operators launched fresh attacks in September 2021, leveraging malicious Excel email attachments containing macros.

In February 2022, Microsoft announced its plan to block macro execution in popular Microsoft Office file types downloaded from the Internet. This move aimed to curb the widespread abuse of macros by threats like Qbot. By assigning a hidden value known as the “Mark of the Web” to files originating from the Internet, Microsoft aimed to enhance security.

Qbot operators wasted no time in adapting to this significant security measure. They quickly devised alternative infection techniques to bypass the Mark of the Web protection for Office files. Observations from Hornet Security revealed that Qbot spam emails now included HTML attachments, providing a stealthy method to avoid downloading additional files.

These HTML attachments were compressed zip files containing various file types, including ISOs, LNKs, and DLLs. The files were accessed sequentially, culminating in the execution of the main executable. Despite its intricate attack chain, this approach has proven effective for Qbot, demonstrating its ability to deceive users and evade detection.

As organizations face the evolving threat landscape, understanding the adaptive strategies of Qbot and other malware families becomes even more crucial.