The new Qbot email campaign uses a combination of PDF and WSF to install the malware and steal the victim’s banking credentials. Credit: v-graphix / Getty Images Cyberattacks that use banking trojans of the Qbot family have been targeting companies in Germany, Argentina, and Italy since April 4 by hijacking business emails, according to a research by cybersecurity firm Kaspersky.In the latest campaign, the malware is delivered through emails written in English, German, Italian, and French. The messages are based on real business emails that the attackers have gained access to. This gives the attackers the opportunity to join the correspondence thread with messages of their own, Kaspersky said in its report.Through such emails, the attackers would try and persuade the victim to download an attached PDF, which would eventually help them install the Qbot trojan on the victim’s computer.Qbot, also known as Qakbot or Pinkslipbot, is a banking trojan that was first observed in 2007 and is designed to steal victims’ banking credentials. The trojan has gone through multiple modifications and improvements and has become one of the most actively spread malware. “Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick,” Kaspersky said.“For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent email address will be different from that of the real correspondent,” Kaspersky said in the report. Use of PDF and WSF files to install the trojanThe Qbot malware delivery campaign begins with an email with a PDF file in the attachment being sent to the victim. The PDF file’s content imitates a Microsoft Office 365 or Microsoft Azure alert, recommending that the victim clicks “Open to view the attached files.” Once opened, an archive is downloaded from a remote server.“In the downloaded archive, there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript,” Kaspersky said. When the WSF file is de-obfuscated, a payload PowerShell is revealed.The PowerShell script then runs on the victim’s computer to download the Qbot trojan, which then tries to steal the victim’s banking credentials. New campaign peaked between April 4 and April 12The first emails with malicious PDF attachments began to arrive on the evening of April 4. The mass email campaign began at 12:00 pm on the following day and continued until 9:00 pm, Kaspersky said.During this time approximately a total of 1,000 emails were detected. The second upsurge began on April 6, at noon, with over 1,500 emails dispatched. “For the next few days new messages kept coming, and soon, on the evening of April 12 we discovered another upsurge with 2,000 more letters (emails) sent to our customers,” Kaspersky said. Since then, the cybercriminal activity went down, but users still receive fraudulent messages.The campaign mainly targets users in Germany, Argentina, and Italy. In March, Qbot was the most prevalent malware with an impact of more than 10% on worldwide organizations, according to CheckPoint. Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.The trojan’s distribution methods have also evolved. Earlier it was distributed through infected websites and pirated software. “Now the banker (banking trojan) is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings,” Kaspersky said. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe