It's the first time we've seen this tactic from Qbot and no one is sure what drove the change. The best theory put forward so far is that the tactical shift is a response to a recent announcement by Microsoft to disable Excel 4.0 macros by default. This was done in a bid to shut down macros as a possible delivery system. If so, it demonstrates the incredible nimbleness and responsiveness of the hacking world.
Microsoft began rolling out a new VBA autoblock feature for Microsoft Office in April 2022.
Microsoft had this to say about the matter:
"Despite the varying email methods attackers are using to deliver Qakbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros.
It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly."
Qbot can best be described as a modular Windows banking trojan that spreads like a worm. It has been active for more than a decade and the people who control the malicious code have targeted several high-profile corporate entities, seeking the biggest bang for their buck.
Over the years, several large and well-organized gangs of hackers, including MegaCortex, PwndLocker, and REvil have leveraged Qbot to breach corporate networks. Although Microsoft's recent moves have made it harder for the botnet to operate, it's clear that they are adapting.