Infection has already been detected in 10 countries, including Russia, the UK and the USA.
According to the latest report from Kaspersky Lab, a new QBot malware campaign is using hacked business emails to trick unsuspecting victims into installing malware on their devices.
The latest wave of malware activity, recorded on April 4 this year, was primarily targeted at users in Germany, Argentina, Italy, Algeria, Spain, the United States, Russia, France, Great Britain, and Morocco.
QBot (aka Qakbot or Pinkslipbot) is a banking Trojan that has been active since at least 2007. In addition to stealing passwords and cookies from web browsers, the program acts as a backdoor to inject next-stage payloads such as Cobalt Strike or various ransomware.
Spreading through phishing campaigns, the malware was constantly updated throughout its lifetime. The latest versions of the malware use anti-virtual machine, debugging, and sandboxing techniques to avoid detection and analysis by researchers.
According to CheckPoint analysts, QBot software became the most prevalent malware in March of this year.
“At first, QBot was distributed through infected websites and pirated software. Now the banker is delivered to potential victims using malware already on their computers, as well as social engineering and spam mailings, ”Kaspersky researchers said, explaining QBot distribution methods.
Email hijacking attacks are far from new. This happens when cybercriminals tap into existing business conversations or initiate new conversations based on information previously collected through hacked email accounts. The purpose of such attacks is to induce victims to click on malicious links or download malicious attachments.
In the latest QBot campaign, scammers used a PDF file that allegedly cannot be viewed due to the presence of protected files. To view it, the victim must click the "Open" button, which will download the ZIP archive from the attackers' website.
The above archive contains an obfuscated Windows script file with the ".wsf" extension, the purpose of which is to subsequently execute the PowerShell script. And he, in turn, downloads a DLL library from a remote server of scammers, which is the QBot malware.
Infection with such malware can lead to devastating attacks on corporate networks. Researchers at The DFIR Report showed last year that it takes QBot about half an hour after an initial infection to steal sensitive data. And what's even worse, in just an hour, the malware will already hit neighboring workstations.
If your device is infected with QBot, it is extremely important to take the system offline as soon as possible and perform a full network assessment for unusual behavior.