![]() ![]() See Table 1 for a few examples of URLs from Qakbot malspam recently reported on URLhaus and Twitter. URLs from these emails end with a short series of numbers followed by. ![]() Recent malspam distributing Qakbot uses fake email chains that spoof legitimate email addresses. Flow chart from recent Qakbot distribution campaigns. Recent malspam-based distribution campaigns for Qakbot follow a chain of events shown in Figure 2. In some cases, Qakbot is a follow-up infection caused by different malware like Emotet as reported in this example from March 2019. Qakbot is most often distributed through malicious spam (malspam), but it also has been distributed through exploit kits as recently as November 2019. Figure 1 shows our pcap open in Wireshark, ready to review. Download the zip archive named and extract the pcap. The pcap used for this tutorial is located here. Initial zip archive from link in an malspam.If you are limited to a Windows computer, we suggest reviewing the pcap within a virtual machine (VM) running any of the popular recent Linux distros. You should review this pcap in a non-Windows environment. Please also note that the pcap used for this tutorial contains malware. You should also have experience with Wireshark display filters as described in this additional tutorial. We use a customized column display shown in this tutorial. Note: This tutorial assumes you have a basic knowledge of network traffic and Wireshark. Understanding these traffic patterns can be critical for security professionals when detecting and investigating Qakbot infections. ![]() This Wireshark tutorial reviews a recent packet capture (pcap) from a Qakbot infection. This family of malware has been active for years, and Qakbot generates distinct traffic patterns. Qakbot is an information stealer also known as Qbot. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |