Identity Theft: recent attacks of the super-fast Qbot malware

February 10, 2022
Qbot

Qbot, a trojan malware active since 2007, is back again with new functions and new stealth capabilities.

It now quickly spreads across all workstations in an environment, while stealing browser information and emails. It is delivered via one of three phishing email methods: malicious links, malicious attachments or embedded images.

As shown in the screenshot below, the most recent infections, which first started in late 2021, were the result of a malicious email campaign used to deliver an Excel document.

enter image description here

Once the user downloads and opens the malicious Excel file, the text in the document attempts to lure them into enabling the macro. The said text claims that the file is “protected” by a service such as Microsoft or DocuSign (below), and that the user must enable the macro to view the document’s actual content. If the user goes ahead and enables the macro, the malicious code starts starts spreading and would infect the machine and the network faster than ever.

Malware researchers found that thirty minutes after initial access, Qbot was observed collecting data from the first infected host including browser data and emails from Outlook. At around 50 minutes into the infection, the malware infected an adjacent workstation. Minutes later all workstations in the network were compromised.

Screenshot of malicious Excel file with lure to enable macros

Macro enablement

Despite the varying email methods attackers are using to deliver Qbot, these campaigns have in common their use of malicious macros in Office documents, specifically Excel 4.0 macros. It should be noted that while threats use Excel 4.0 macros as an attempt to evade detection, this feature is now disabled by default and thus requires users to enable it manually for such threats to execute properly.

In the past 14 years, this malware has gone by a handful of names, including Qakbot and Pinkslipbot. Recent changes added to its modus operandi makes it still very active and dangerous. As with any phishing emails, texts or IMs, the best prevention is to learn how to identify lures in messages and to ignore unsolicited communication. And always report reconnaissance attempts and other suspicious activity to your IT/Cybersecurity managers.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

LinkedIn
LinkedIn
Share
Follow by Email