A new version of a trojan is spreading fast, & already has claimed 100,000 victims worldwide.
Attacks attributed to the Qbot trojan, known as the “Swiss Army Knife” of malware, are on the rise with a reported 100,000 recent infections, says researchers.
Qbot, an ever-evolving information-stealing trojan that’s existed since 2008, has changed tactics again & adopted a host of new techniques, says researchers at Check Point, who released a report on their findings Thursday. For example, one new Qbot feature hijacks a victim’s Outlook-based email thread & uses it to infect other PCs.
Resurfaced
The 12-year-old malware resurfaced in Jan. 2020, cautioned F5 researchers, who issued a report in June outlining new Qbot evasive features to avoid detection.
“We assumed that the campaign was stopped after Jun. to allow those behind QBot to conduct further malware development, but we did not imagine that it would return so quickly,” explained Alex Ilgayev, the report writer.
Emotet
Ilgayev commented that Check Point has identified several new campaigns recently. One attached itself to the Emotet botnet, which also recently resurfaced after a 5 month gap. This reveals a new distribution method.
A single campaign reached 5% of organisations worldwide in July, Check Point revealed. Researchers also believe that Qbot has a brand-new command-and-control structure.
Updated
“Our research shows how even older forms of malware can be updated with new features to make them a dangerous & persistent threat,” Yaniv Balmas, Head of Cyber Research at Check Point commented. “The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organisations & individuals.”
To date, most of the victims of the new Qbot campaigns have been in the US, where 29% of Qbot attacks have been found, followed by India, Israel & Italy, outlined Check Point.
Inboxes
Most troubling about the recent manifestation of Qbot is how it turns people’s own inboxes into a weapon used against them. When installed, the trojan sends specially crafted emails to the target organisations or people, each with a URL to a ZIP with a malicious Visual Basic Script (VBS) file, which contains code that can be executed within Windows, researchers explained.
If the file is executed, Qbot then activates a special “email collector module” to take all email threads from the victim’s Outlook client, which it then uploads to a hardcoded remote server.
Malspam
“These stolen emails are then utilised for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation,” researchers outlined.
This trojan selects threads with current & relevant subject matter to try to deceive targets, in the recent campaigns, Check Point researchers observed Qbot stealing Covid-19 as well as emails related to tax-payment reminders & job recruitments.
When running, Qbot shows various characteristics, any of which alone would be a problem for victims, researchers observed.
Infected
The malware can steal information from infected machines, including passwords, emails & credit card details, they revealed. It also can install malware, including ransomware, on other machines, or connect to a victim’s computer using the Bot controller to make bank transactions from that IP address, explained Check Point.
Additional to the normal email security protections, Check Point is now advising users to be specially careful with any email that appears to be suspicious or remotely worrying, even if the sender is someone who is known, in order to avoid being a victim of the revamped Qbot, Balmas observed.
“I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt – even when the email appears to come from a trusted source,” he concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-september/