New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware

New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware

Researchers are seeing a “significant increase” in attacks deploying the Qakbot malware, which have targeted victims in Germany, Argentina, Italy, Algeria, Spain, the U.S. and other countries with emails containing PDF attachments that deliver the banking trojan.

What is QBOT ?

Qakbot, which was first detected in 2007, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Its modular nature gives it flexibility for keeping up with the evolving threat landscape, and the malware has recently seen growing popularity among a variety of threat groups that either use its various capabilities or any of its second-stage payloads.

New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware
Reference :Securelist

Attackers deploying the malware have previously relied on hijacked email threads (harvested in bulk from Microsoft ProxyLogon).Researchers said at least 4,500 spam emails have been sent in this wave of attacks, which they first observed April 4.

“The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French,” said Victoria Vlasova, Andrey Kovtun and Darya Ivanova, researchers with Kaspersky in a monday report.

“After the WSF file is deobfuscated, its true payload gets revealed: a PowerShell script encoded into a Base64 line,” Kaspersky wrote. “As soon as the user opens the WSF file from the archive, the PowerShell script will be discreetly run on the computer and use wget to download a DLL file from a remote server.”

 Kaspersky has also observed some Qbot versions turning victims’ computers into proxy servers to facilitate traffic redirection.

Qbot indicators of compromise


MD5
PDF files
253E43124F66F4FAF23F9671BBBA3D98
39FD8E69EB4CA6DA43B3BE015C2D8B7D

ZIP archives
299FC65A2EECF5B9EF06F167575CC9E2
A6120562EB673552A61F7EEB577C05F8

WSF files
1FBFE5C1CD26C536FC87C46B46DB754D
FD57B3C5D73A4ECD03DF67BA2E48F661

DLL
28C25753F1ECD5C47D316394C7FCEDE2

Malicious links
ZIP archive
cica.com[.]co/stai/stai.php
abhishekmeena[.]in/ducs/ducs.php

DLL
rosewoodlaminates[.]com/hea/yWY9SJ4VOH
agtendelperu[.]com/FPu0Fa/EpN5Xvh
capitalperurrhh[.]com/vQ1iQg/u6oL8xlJ
centerkick[.]com/IC5EQ8/2v6u6vKQwk8
chimpcity[.]com/h7e/p5FuepRZjx
graficalevi.com[.]br/0p6P/R94icuyQ
kmphi[.]com/FWovmB/8oZ0BOV5HqEX
propertynear.co[.]uk/QyYWyp/XRgRWEdFv
theshirtsummit[.]com/MwBGSm/lGP5mGh

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!