Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

QakBot, also known as QBot and Pinkslipbot, is a notorious banking Trojan that has been evolving since its inception in 2007, initially designed to steal financial data and login credentials. Over the years, it has employed various infection techniques, including malspam campaigns and, more recently, the use of Windows Script Files (.wsf) for payload delivery, which involves executing malicious code through a complex sequence of files. To combat QakBot's evolving methods, a multi-layered detection and prevention strategy is recommended, such as leveraging MQL rules to identify suspicious email attachments and implementing Attack Surface Reduction (ASR) techniques to minimize potential attack vectors. These strategies include scanning emails for suspicious links, detecting disk images in encrypted zip files, and identifying malicious commands in OneNote attachments, all of which aim to reduce the risk of malware exploitation. These detection rules and techniques are incorporated into the Sublime Rules Feed, providing users with enhanced protection against QakBot and similar threats.