2023-04-19 (WEDNESDAY) – QUICK POST: QAKBOT (QBOT) ACTIVITY, DISTRIBUTION TAGS BB24 AND OBAMA254
NOTES:
- This post documents the differences in distribution for BB-series Qakbot and for obama-series Qakbot.
- On 2023-04-19, BB24 malsapm first used OneNote attachments as the initial lure, then switched to PDF attachments.
- After BB24 malspam switched to PDF attachments, the PDF links first pushed zip-ed .hta files, then later pushed zip-ed .wsf files.
- Obama254 malspam used PDF attachments with links to zip-ed .wsf files, not switching lures like BB24.
- I didn’t let pcap for BB24 run very long, but I let the pcap for obama254 run several hours.
- This is mostly raw data. See the notes for details.
- Zip files are password-protected. If you don’t know the password, see the “about” page of this website.
ASSOCIATED FILES:
- 3.9 kB (3,930 bytes)
- 4.2 kB (4,195 bytes)
- 2.5 kB (2,455 bytes)
- 377.1 kB (377,052 bytes)
- 2.7 MB (2,706,564 bytes)
- 2.6 MB (2,638,561 bytes)
- 3.0 MB (3,018,200 bytes)
- 47.6 MB (47,595,510 bytes)
to return to the main page.