VERY IMPORTANT

On Monday 2022-03-14, Brad Duncan infected a vulnerable Windows host with Qakbot (Qbot) malware. Approximately 17 hours later, the infected host generated traffic for Cobalt Strike and VNC (Virtual Network Computing) activity. Like Cobalt Strike, VNC provides remote access to an infected host. DLL files used for Qakbot infections have tags in the code that identify the malware sample's distribution channel. In this case, the distribution tag was obama166. Today's diary provides a quick review of the infection activity.