NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

2023-04-19 (WEDNESDAY) - QUICK POST: QAKBOT (QBOT) ACTIVITY, DISTRIBUTION TAGS BB24 AND OBAMA254

NOTES:

• This post documents the differences in distribution for BB-series Qakbot and for obama-series Qakbot.

• On 2023-04-19, BB24 malsapm first used OneNote attachments as the initial lure, then switched to PDF attachments.
• After BB24 malspam switched to PDF attachments, the PDF links first pushed zip-ed .hta files, then later pushed zip-ed .wsf files.
• Obama254 malspam used PDF attachments with links to zip-ed .wsf files, not switching lures like BB24.

• I didn't let pcap for BB24 run very long, but I let the pcap for obama254 run several hours.
• This is mostly raw data.  See the notes for details.

 

ASSOCIATED FILES:

• 2023-04-19-notes-for-BB24-Qakbot-using-OneNote-lures.txt.zip   3.9 kB   (3,930 bytes)
• 2023-04-19-notes-for-BB24-Qakbot-using-PDF-lures.txt.zip   4.2 kB   (4,195 bytes)
• 2023-04-19-obama254-Qakbot-notes.txt.zip   2.5 kB   (2,455 bytes)

• 2023-04-19-BB24-Qakbot-email-and-malware-samples-from-OneNote-lures.zip   380.9 kB   (380,852 bytes)
• 2023-04-19-BB24-Qakbot-email-and-malware-samples-from-PDF-lures.zip   2.7 MB   (2,710,276 bytes)
• 2023-04-19-obama254-Qakbot-emails-and-malware.zip   2.6 MB   (2,642,185 bytes)

• 2023-04-19-BB24-Qakbot-infection-from-PDF-lure.pcap.zip   3.0 MB   (3,018,200 bytes)
• 2023-04-19-obama254-Qakbot-infection.pcap.zip   47.6 MB   (47,595,510 bytes)

 

Click here to return to the main page.