Qbot malware switches to new Windows Installer infection vector

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,534
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.

This is the first time the Qbot operators are using this tactic, switching from their standard way of delivering the malware via phishing emails dropping Microsoft Office documents with malicious macros on targets' devices.

Security researchers suspect this move might be a direct reaction to Microsoft announcing plans to kill malware delivery via VBA Office macros in February after disabling Excel 4.0 (XLM) macros by default in January.

Microsoft has begun rolling out the VBA macro autoblock feature to Office for Windows users in early April 2022, starting with Version 2203 in the Current Channel (Preview) and to other release channels and older versions later.