Security researchers have discovered a new variant of the Qakbot malware that evades detection.
In a blog post, researchers at Cisco Talos said a new campaign used an updated persistence mechanism that can make it harder for users to detect and remove the trojan.
The downloader then downloads encrypted malware code from these domains to multiple archives.
They added that the code code serves to reassemble the malicious Qakbot executable from the two .zzz files, using the type command.
"The two .zzz files are then deleted after the reassembled executable is run. The functionality of the Qakbot malware remains the same," they said.
Researchers also noted that in comment strings within the malware it suggested the malware developer had updated the code on 15 March. "This indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new campaign".
The changes in the Qakbot malware makes it more difficult for traditional anti-virus software to detect, said researchers.
"This may allow the download of the malware to go undetected, as the malware is obfuscated when it is downloaded and saved in two separate files. These files are then decrypted and reassembled using the type command," researchers added.
"Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it."