Qbot Banking Trojan Increasingly Delivered Via Business Emails

Written by

A malicious spam-email campaign has been observed increasingly spreading banking Trojans from the QBot (or Qakbot) family using fake business emails.

Discovered by security researchers at Kaspersky, the malicious campaign relied on messages written in different languages, including English, German, Italian and French.

“The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own,” reads an advisory published by the company earlier today.

Written by Kaspersky security experts Victoria Vlasova, Andrey Kovtun and Darya Ivanova, the post also explained that these emails typically urged the addressee to open an attached PDF file.

“Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick,” explained Vlasova, Kovtun and Ivanova.

“For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent email address will be different from that of the real correspondent.”

Upon clicking on the attachment, the emails download an attachment from a remote server, protected with a password provided in the original PDF file. The downloaded archive, in turn, includes a WSF (Windows Script File) file containing an obfuscated script written in JScript.

“After the WSF file is deobfuscated, its true payload gets revealed: a PowerShell script encoded into a Base64 line,” Kaspersky wrote. “As soon as the user opens the WSF file from the archive, the PowerShell script will be discreetly run on the computer and use wget to download a DLL file from a remote server.”

Kaspersky said the newly observed variants of the Trojan do not differ much from previously observed ones.

“As before, the bot is capable of extracting passwords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving operators remote access to the infected system,” reads the technical write-up.

Read more about the Qbot malware here: Qakbot, Analysing a Modern-Day Banking Trojan

Some variants can download additional malware tools, such as CobaltStrike (to spread the infection throughout the corporate network) or ransomware. Kaspersky has also observed some Qbot versions turning victims’ computers into proxy servers to facilitate traffic redirection.

The latest Qbot campaign mainly targeted users in Germany (28.01%), Argentina (9.78%) and Italy (9.58%). It comes a few months after Qbot overtook Emotet as the most prevalent malware found in the wild in December 2022. Since then, Emotet has regained its top spot on Check Point’s list.

What’s hot on Infosecurity Magazine?