Qbot Malware Can Read Your Email

Uploaded on 2022-02-16 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

A new phishing campaign analysed by threat intelligence provider Check Point reveals how the old malware trojan has been repurposed to phish people by capturing their email threads. This malware called Qbot continues to target Windows PCs and other devices with new effectiveness. Although the malware first emerged in 2007, it remains a threat to Windows users. 

Qbot, otherwise known as Qakbot or QuakBot, is an old software threat to Windows users that pre-dates the first iPhone and has been continually developed.  Known for collecting browsing data and stealing banking credentials and other financial information from victims. It is highly structured, multi-layered, and is being continuously developed with new features to extend its capabilities.

Now, it appears that Qbot has gained a module that reads through email threads to improve the message’s apparent legitimacy to victims. In October, cyber security research company DFIR was able to obtain a sample of the malware and conduct analysis on its current form, finding that the tool is still able to easily exploit key apps, including Microsoft Outlook. 

The malware’s operators rely on clickable phishing messages, and deploy social engineering tactics in the form of tax payment reminders, job offers, and Covid-19 alerts to lure victims into clicking malicious links.

More specifically, the analysts report that it takes half an hour for the adversaries to steal browser data and emails from Outlook and 50 minutes before they jump to an adjacent workstation. DFIR found that there are certain cases where initial access was unknown, however, was it is likely delivered through a Microsoft Excel document that was configured by the attackers to download malware from a web page. 

Windows users should be aware of the ongoing threat and exercise caution when clicking email links from unknown or unexpected addresses. The malware hides malicious processes and creates scheduled tasks to persist on a machine. Once running on an infected device, it uses multiple techniques for lateral movement.

Qbot’s authors leverage legitimate Microsoft tools to their advantage, effectively raiding an entire network within 30 minutes of the victim’s click and they have now branched out to ransomware.

  • Security firm Kaspersky has said that Qbot malware has infected 65% MORE PCS in the six months to July 2021 compared to last year.
  • Microsoft has highlighted the effectiveness of Qbot malware for its modular design that makes it difficult to detect. 
  • The FBI has warned that Qbot trojans are used to distribute ProLock, a "human-operated ransomware". 

Regardless of how a Qbot malware infection is delivered, it is essential to remember that almost all begin with an email and this is the main access point that organisations need to strengthen.

Current malware counter measures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads. Linux is the most common cloud operating system and is a core part of digital infrastructure and is quickly becoming an attackers' favoured rout ro access a multi-cloud  environment.  All of these cyber security issues need far more attention.

CheckPoint:    DFIR REport:    Microsoft:    HelpNet Security:    TechRepublic:   Oodlaoop:    FBI:     

ZDNet:    Bleeping Computer:    

You Might Also Read: 

Beware PowerPoint Files With Hidden Malware:

 

« Russian Cyber Attacks On Ukraine Increase
Cyber Security Regulations For Smart Devices »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Oracle Cloud Security

Oracle Cloud Security

Oracle’s cloud security solutions enable organizations to implement and manage consistent security policies across the hybrid data center.

Cybellum

Cybellum

Cybellum brings the entire product security workflow into one dedicated platform, allowing device manufacturers to keep the connected products they build cyber-secure and cyber-compliant.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Virgil Security

Virgil Security

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users.

Span

Span

Span designs, develops and maintains information systems based on advanced technological solutions of global IT leaders.

DeepCyber

DeepCyber

DeepCyber supports its customers, with an “intelligence-driven” approach, to improve their proactive detection and response "capability" of cyber threats.

DataEndure

DataEndure

DataEndure helps companies build digital resilience so that their critical information assets are protected and available to the right people, at the right time.

Drip7

Drip7

Drip7 is a micro-learning platform that is re-inventing the way companies train their employees and build lasting cultural change around the importance of cybersecurity.

ClosingLock

ClosingLock

ClosingLock is the leading provider of wire fraud prevention software for the real estate industry.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

EkoCyber

EkoCyber

EkoCyber partner with businesses as a value-added MSSP to provide top-tier, trusted and transparent cyber security services at an affordable price point.

Lighthouse IT

Lighthouse IT

At Lighthouse IT, we are focused on delivering seamless and reliable services to unlock the value of technology for your business.

BreachBits

BreachBits

BreachBits are on a mission to deliver world-class cyber risk insights continuously at scale in situations where knowing the true risk truly matters.

BCX

BCX

BCX, a subsidiary within Telkom Group, is one of Africa’s largest systems integrator and digital transformation partners for enterprises and public sector organisations.

Bridgenet Solutions

Bridgenet Solutions

Bridgenet specialises as a top-notch Information and Technology Solutions Provider for businesses.

RIIG Technology

RIIG Technology

Our mission is to empower organizations with high-quality, verifiable data and advanced intelligence solutions, ensuring robust security and effective risk management.