QBot Trojan operators are using new tactics to hijack legitimate, emailed conversations in order to steal credentials and financial data.
On Thursday, cybersecurity researchers from Check Point published research on the new trend, in which Microsoft Outlook users are susceptible to a module designed to collect and compromise email threads on infected machines.
QBot, also known as Qakbot and Pinkslipbot, is a prolific form of malware estimated to have claimed at least 100,000 victims across countries including the US, India, and Israel. Originally identified in 2008, the Trojan is considered a "Swiss Army knife" malware as it acts not only as a typical information-stealer, but is also able to deploy ransomware -- and contains other dangerous capabilities.
A new variant of QBot, detected in several campaigns between March and August this year, is being deployed as a malicious payload by operators of the Emotet Trojan. The researchers estimate that one particularly extensive campaign in July impacted roughly 5% of organizations worldwide.
The malware lands on a vulnerable machine via phishing documents containing URLs to .ZIP files that serve VBS content, calling the payload from one of six hardcoded encrypted URLs.
Once a PC has been infected, a new and interesting module in the modern QBot variant described by Check Point as an "email collector module" extracts all email threads contained within an Outlook client and uploads them to the attacker's command-and-control (C2) server.
The hijacked threads are then used to propagate the malware further. By jumping on legitimate threads, unwitting readers might think messages sent by the attackers are legitimate, and therefore, are more likely to click on infected attachments.
Subjects tracked by the team include tax payment reminders, job recruitment content, and COVID-19-related messages.
QBot is able to steal browsing data, email records, and banking credentials. One of the Trojan's modules downloads Mimikatz to harvest passwords.
The malware is also able to perform browser web injections and install malicious payloads including ransomware such as ProLock. In addition, QBot connects infected machines as slave nodes in a wider botnet, which could be weaponized to conduct distributed denial-of-service (DDoS) attacks, Another new feature of QBot is the ability to remotely fetch and install updates and new modules.
A QBot malspam campaign launched this month, focused on US and European targets including government, military, and manufacturing entities.
"These days Qbot is much more dangerous than it was previously -- it has active malspam campaigns which infects organizations, and it manages to use a third-party infection infrastructure like Emotet's to spread the threat even further," the researchers say.
Previous and related coverage
- Loda Trojan revitalized with stealthy upgrade, new exploits
- This Trojan hijacks your smartphone to send offensive text messages
- Bazar backdoor linked to Trickbot banking Trojan campaigns
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0