VERY IMPORTANT

Morphisec Labs has tracked a massive maldoc campaign delivering the QakBot/QBot banking trojan, starting earlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. In this post we will mention two of those interesting techniques. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word documents attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs.