QAKBOT is a prevalent information-stealing malware that was first discovered in 2007. In recent years, its detection has become a precursor to many critical and widespread ransomware attacks. It has been identified as a key “malware installation-as-a-service” botnet that enables many of today’s campaigns.
Toward the end of September 2021, we noted that QAKBOT operators resumed email spam operations after an almost three-month hiatus. Specifically, we saw that the malware distributor “TR” was sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT. In early October, the same “TR” distributor was reportedly conducting brute-force attacks on Internet Message Access Protocol (IMAP) services, and there is also speculation from security researchers that “TR” uses ProxyLogon to acquire credentials for the attacks.
Source: Trend Micro