QakbotMSI
21 June 2022 at 22:11
Executive Summary # In mid-April 2022, Mandiant observed UNC2500 campaigns using MSI packages to distribute Qakbot payloads. This change comes shortly after Microsoftβs announcement that macros from Office documents downloaded from the internet (ZoneIdentifier ADS) will be blocked by default. This new payload uses a botnet ID AA, which is unique from previous campaigns that have used tr, cullinan, and cullinan01. Distribution came from phishing emails containing a malicious link from either OneDrive or files hosted on compromised websites that downloads a ZIP archive.