Qbot Malware Can Read Your Email

Uploaded on 2022-02-16 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

A new phishing campaign analysed by threat intelligence provider Check Point reveals how the old malware trojan has been repurposed to phish people by capturing their email threads. This malware called Qbot continues to target Windows PCs and other devices with new effectiveness. Although the malware first emerged in 2007, it remains a threat to Windows users. 

Qbot, otherwise known as Qakbot or QuakBot, is an old software threat to Windows users that pre-dates the first iPhone and has been continually developed.  Known for collecting browsing data and stealing banking credentials and other financial information from victims. It is highly structured, multi-layered, and is being continuously developed with new features to extend its capabilities.

Now, it appears that Qbot has gained a module that reads through email threads to improve the message’s apparent legitimacy to victims. In October, cyber security research company DFIR was able to obtain a sample of the malware and conduct analysis on its current form, finding that the tool is still able to easily exploit key apps, including Microsoft Outlook. 

The malware’s operators rely on clickable phishing messages, and deploy social engineering tactics in the form of tax payment reminders, job offers, and Covid-19 alerts to lure victims into clicking malicious links.

More specifically, the analysts report that it takes half an hour for the adversaries to steal browser data and emails from Outlook and 50 minutes before they jump to an adjacent workstation. DFIR found that there are certain cases where initial access was unknown, however, was it is likely delivered through a Microsoft Excel document that was configured by the attackers to download malware from a web page. 

Windows users should be aware of the ongoing threat and exercise caution when clicking email links from unknown or unexpected addresses. The malware hides malicious processes and creates scheduled tasks to persist on a machine. Once running on an infected device, it uses multiple techniques for lateral movement.

Qbot’s authors leverage legitimate Microsoft tools to their advantage, effectively raiding an entire network within 30 minutes of the victim’s click and they have now branched out to ransomware.

  • Security firm Kaspersky has said that Qbot malware has infected 65% MORE PCS in the six months to July 2021 compared to last year.
  • Microsoft has highlighted the effectiveness of Qbot malware for its modular design that makes it difficult to detect. 
  • The FBI has warned that Qbot trojans are used to distribute ProLock, a "human-operated ransomware". 

Regardless of how a Qbot malware infection is delivered, it is essential to remember that almost all begin with an email and this is the main access point that organisations need to strengthen.

Current malware counter measures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads. Linux is the most common cloud operating system and is a core part of digital infrastructure and is quickly becoming an attackers' favoured rout ro access a multi-cloud  environment.  All of these cyber security issues need far more attention.

CheckPoint:    DFIR REport:    Microsoft:    HelpNet Security:    TechRepublic:   Oodlaoop:    FBI:     

ZDNet:    Bleeping Computer:    

You Might Also Read: 

Beware PowerPoint Files With Hidden Malware:

 

« Russian Cyber Attacks On Ukraine Increase
Cyber Security Regulations For Smart Devices »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

ForeScout Technologies

ForeScout Technologies

ForeScout delivers pervasive network security by allowing organisations to continuously monitor & mitigate security exposures & cyberattacks.

BackBox Software

BackBox Software

BackBox is a leading provider of solutions for automated backup and recovery software for security and network devices.

International Telecommunication Union (ITU)

International Telecommunication Union (ITU)

ITU is the United Nations specialized agency for information and communication technologies – ICTs. Areas of activity include cybersecurity.

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

ICT Reverse

ICT Reverse

ICT Reverse is one of the UK’s leading, fully accredited providers of ICT asset disposal and secure data erasure.

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance (PIRC)

Partners in Regulatory Compliance provides an array of cybersecurity services including cybersecurity policy management, risk assessments and regulatory compliance consulting.

Centre for Cyber Security Belgium (CCB)

Centre for Cyber Security Belgium (CCB)

The Centre for Cyber Security Belgium is the central authority for cyber security in Belgium.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

OmniCyber Security

OmniCyber Security

Omni is a cyber security firm specialising in Penetration Testing, Managed Security and Compliance.

Cympire

Cympire

Cympire significantly increases an organisation’s Cyber Resilience through continuous Training and Assessment. Cyber Security Training Platform. Cloud-based and fully customizable Cyber Range.

comforte AG

comforte AG

comforte AG is a leading provider of data-centric security technology. Organizations worldwide rely on our tokenization and format-preserving encryption capabilities to secure personal, sensitive data

Herzing College

Herzing College

Herzing College Ottawa offers an accelerated 12-month Cybersecurity Specialist training program. This program is developed by industry experts and based on leading IT security certifications.

Unified Infotech

Unified Infotech

Unified Infotech is a trusted partner for IT and software solutions dedicated to empowering businesses.

BlackSwan Technologies

BlackSwan Technologies

BlackSwan Technologies is reinventing enterprise software through Agile Intelligence for the Enterprise – a fusion of data, artificial intelligence, and cloud technologies.