After a decade, Qbot Trojan malware gains new, dangerous tricks



The Qbot Trojan has been plaguing computer users and businesses for over a decade and the cybercriminals behind it are still coming up with new tricks that keep it one of the most prevalent and successful malware threats. The latest technique observed by security researchers involves the malware inserting itself into the legitimate email threads of their victims to spread.

Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan focused on stealing online banking credentials, but has since evolved into a “Swiss Army knife” that’s used for a variety of purposes including distributing ransomware, according to researchers from security firm Check Point Software Technologies who tracked the malware’s latest campaigns.

Toward the end of last month, a new Qbot variant started being distributed by another Trojan called Emotet as part of a new spam campaign that affected many organizations worldwide. That new variant exhibited new features and a new command-and-control infrastructure. This continued with a renewed Qbot distribution campaign earlier this month.

“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server,” the Check Point researchers said in a new report. “These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.”

The company has seen hijacked email threads in which Qbot inserted itself with subjects related to the COVID-19 pandemic, tax reminders and job recruitments. A third of the organizations targeted in the new campaigns were from the US, but organizations from Europe were also heavily affected. The most targeted industries were government, military, manufacturing, insurance, legal, healthcare and banking.

How Qbot spreads

The Qbot infection chain is not very sophisticated and has changed since April. In the past, spam emails that delivered Qbot used malicious documents with macros, but now they contain URLs to a .zip file that has a downloader script inside written in VBScript (VBS). These type of scripts used to execute natively on Windows in the context of Internet Explorer as it’s a scripting language developed by Microsoft, but it has been deprecated since last year after being abused by attackers for years. However, attackers know that many businesses still use old versions of Windows and Internet Explorer that are lacking the latest security features and updates.

Copyright © 2020 IDG Communications, Inc.


Source link