QBot operators change tactics to infect victims via hijacked email

Email threads can get hijacked by the QBot trojan, so other people get malware from your replies

QBot trojan hijacks email threadsTen-year-old malware can infect devices via email and spread other threats or exfiltrate data from the machine or the browser. Data-stealing Qbot Trojan changed tactics to hijack legitimate email conversation chains, so credentials get stolen and financial data obtained.[1] Also, malicious actors can infect other victims easily.[2] This QakBot or QBot trojan is known for at least ten years, and it focuses on stealing valuable information like stored passwords, cookies, credit cards, emails, online banking account details.

These new ‘tricks’ mean that despite its age, Qbot is still a dangerous and persistent threat to organizations.

This trojan is not new, so activities, including other malware distribution[3] are known. It compromises computers and is used by other malware pieces like Emotet botnet.[4] These recent reports show that Qbot started using the new trend that affects Microsoft Outlook users. Module designed to collect email threads on the infected machine allows creators to compromise devices and spread malware further.

Data collected for later email scam campaigns

QBot trojan continues to rely on its older functions and techniques that rely on tactics used bu Gozi and Ursnif trojans, the Emotet. Stealing full email thread is useful because, later on, malware creators can use the reply-chain for email attacks. These reply-chain phishing campaigns work when the stolen email thread user gets the reply with a malicious document that includes malware script.

Infection happens quickly because file attachments in formats like ZIP files, or MS documents get executed once opened. Then, the VBS script is downloading the Qbot malware on the machine. From there, there are many ways the Trojan can act. Researchers state:

During our tracking of the malspam campaign, we have seen hundreds of different URLs for malicious ZIP dropping when most of them were compromised WordPress sites.

Using stolen emails against other users creates a cycle of new victims, but malware can be read later on by directly sending emails with documents from other accounts. Researchers even revealed that there are particular campaigns that include subject lines related to tax payments, pandemic situations, job offers, transactions, and refund reminders. These email spam campaigns can become highly-targeted.

Despite being the old Trojan QBot has many dangerous functionalities that evolve

The malware is known as Qakbot and Pinkslipbot, and has been active since 2008 as a data-stealing trojan. Collecting browsing data, stealing banking credentials and other sensitive information are the main purposes. However, this threat is compared to other notorious malware strains ad it can:

  • steal information from the infected device;
  • install other threats like ransomware;
  • allow the remote controller or a Bot to connect to the computer to make transactions from the particular victim's IP address;
  • hijack email threads on the Outlook account and use them to infect other computers.

There are many campaigns analyzed, but the most prominent attacks were indicated in march and June, this year. The main target this malware aims for – organizations and companies. Most of them are in the United States or Europe and in industries like government, manufacturing, and healthcare, finance, or legal fields.[5]

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions