Qbot trojan evolves to hijack legitimate email threads
The Qbot trojan first appeared in 2008 as banking and credential theft malware, evolving over the years to deliver ransomware attacks, making it something of a Swiss Army knife of the malware world.
Researchers at Check Point have now uncovered a further evolution that allows Qbot to hijack legitimate email conversations from an infected user's Outlook email client, and then spam itself out using those hijacked emails to increase its chances of tricking other users into getting infected.
It's reckoned there are over 100,000 current victims globally, making it the most widespread malware currently out there. The USA is the number one target country, making up nearly 29 percent of attacks detected, followed by India, Israel and Italy with seven percent each.
The infection chain starts by sending specially crafted emails to the target organizations or individuals. Each of the emails contain a URL to a ZIP with a malicious Visual Basic Script (VBS) file, which contains code that can be executed within Windows.
Once a machine gets infected, Qbot activates an 'email collector module' which extracts all email threads from the victim's Outlook client, and uploads them to a hardcoded remote server. These stolen emails are then utilized for future spam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.
"Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat," says Yaniv Balmas, head of cyber research at Check Point. "The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet's to spread the threat even further. We hope that our observations and research into Qbot will help put an end to the threat. For now, I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt -- even when the email appears to come from a trusted source."
You can find full details of the latest Qbot features on the Check Point blog.