The new Qbot email campaign uses a combination of PDF and WSF to install the malware and steal the victim’s banking credentials. Credit: v-graphix / Getty Images Cyberattacks that use banking trojans of the Qbot family have been targeting companies in Germany, Argentina, and Italy since April 4 by hijacking business emails, according to a research by cybersecurity firm Kaspersky.In the latest campaign, the malware is delivered through emails written in English, German, Italian, and French. The messages are based on real business emails that the attackers have gained access to. This gives the attackers the opportunity to join the correspondence thread with messages of their own, Kaspersky said in its report.Through such emails, the attackers would try and persuade the victim to download an attached PDF, which would eventually help them install the Qbot trojan on the victim’s computer.Qbot, also known as Qakbot or Pinkslipbot, is a banking trojan that was first observed in 2007 and is designed to steal victims’ banking credentials. The trojan has gone through multiple modifications and improvements and has become one of the most actively spread malware. “Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick,” Kaspersky said.“For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent email address will be different from that of the real correspondent,” Kaspersky said in the report. Use of PDF and WSF files to install the trojanThe Qbot malware delivery campaign begins with an email with a PDF file in the attachment being sent to the victim. The PDF file’s content imitates a Microsoft Office 365 or Microsoft Azure alert, recommending that the victim clicks “Open to view the attached files.” Once opened, an archive is downloaded from a remote server.“In the downloaded archive, there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript,” Kaspersky said. When the WSF file is de-obfuscated, a payload PowerShell is revealed.The PowerShell script then runs on the victim’s computer to download the Qbot trojan, which then tries to steal the victim’s banking credentials. New campaign peaked between April 4 and April 12The first emails with malicious PDF attachments began to arrive on the evening of April 4. The mass email campaign began at 12:00 pm on the following day and continued until 9:00 pm, Kaspersky said.During this time approximately a total of 1,000 emails were detected. The second upsurge began on April 6, at noon, with over 1,500 emails dispatched. “For the next few days new messages kept coming, and soon, on the evening of April 12 we discovered another upsurge with 2,000 more letters (emails) sent to our customers,” Kaspersky said. Since then, the cybercriminal activity went down, but users still receive fraudulent messages.The campaign mainly targets users in Germany, Argentina, and Italy. In March, Qbot was the most prevalent malware with an impact of more than 10% on worldwide organizations, according to CheckPoint. Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.The trojan’s distribution methods have also evolved. Earlier it was distributed through infected websites and pirated software. “Now the banker (banking trojan) is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings,” Kaspersky said. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe