Qbot botnet operators no longer distribute malware (opens in a new tab) via militarized Microsoft Office documents. Instead, they opt for malicious Windows Installer MSI packages.
Cybersecurity researchers see it as a “direct reaction” to Microsoft’s decision to prevent the spread of malware via Office macros.
Qbot, or Quakbot, is a Windows banking Trojan that has been roaming the wilds for over a decade. Hackers typically use it to steal banking login information, as well as personal data and other identity-related data. It can also be used as a dropper that dispenses Cobalt Strike to compromised endpoints (opens in a new tab).
Macros disabled since January
Threat actors that typically deploy Qbot include REvil, Egregor, and MegaCortex, all of which typically target businesses rather than individuals.
At the end of January this year, Microsoft made a major decision, in an attempt to discourage criminals from using Office files to distribute malware – it disabled Excel 4.0 (XLM) macros by default.
In July 2021, the company released a new Excel Trust Center configuration option, allowing administrators to restrict the use of Excel 4.0 (XLM) macros. It has since made this the default option for everyone.
Excel 4.0 macros (XLM) were the default format until 1993, and although they have since been discontinued, they can still be run by the latest versions of the Office program. This makes them ideal for threat actors, who misused them to push malware such as TrickBot, Zloader, Qbot, Dridex, ransomware (opens in a new tab)and many other malicious programs.
Administrators can use the existing Microsoft 365 Apps Policy Control to configure this setting. The “Macro notification settings” Group Policy setting for Excel is located in the following path and registry key:
Group Policy Path: User Configuration > Administrative Templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center.
Registry key path: computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\excel\security
Via: BleepingComputer (opens in a new tab)