QakBot malware: Warning of increasing attacks
by Tina Siering
Acutely increasing number of attacks by "QakBot" registered
Within the last three days, there has been a very strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide.
QakBot spreads mainly via targeted spear phishing attacks, where the recipient is asked in an urgent tone to open an attached malicious ISO file (which in turn contains an LNK file and the QakBot payload).
This banking Trojan gives criminals access to online banking accounts, allows leaking user data and reloads malware. The activities are attributed to the threat actors behind the Black Basta ransomware. We have also already actively detected the malware as part of our ACD monitoring. As a preventive measure, which we have already implemented and verified as effective for affected customers, we strongly recommend the following Group Policy Object (GPO) adjustments.
To prevent all image files from being opened and mounted for all devices on the network, we recommend that system administrators make a global change to the Group Policy Objects (GPO). Attached is a screenshot documenting the setting change.
Please set exactly the following value: SCSI\CdRomMsft____Virtual_DVD-ROM_ and additionally a check mark at: "Also apply to matching devices that are already installed".
From our point of view, users should not be able to mount ISO files this way.
Allgeier secion customers with an active Managed Service contract for Active Cyber Defense are of course informed separately about malicious communications on their systems.