Threat players have taken advantage of the ongoing uncertainty around the 2020 US election to release a new malspam campaign in order to spread the Qbot trojan.
Emails try to tempt victims with malicious documents claiming to have information about voting interference.
Criminals behind Qbot re-emerged the day following the election with a deluge of spam emails that attempted to lure victims with messages claiming to have information about election interference, outlines new researchers.
Intense Scrutiny
“The 2020 US elections have been the subject of intense scrutiny & emotions, while happening in the middle of a global pandemic,” researchers at Malwarebytes Labs reported in a posted Wed. “In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.”
Qbot, an ever-evolving information-stealing trojan that’s been around since 2008, re-appeared during 2020 after a break to target customers of US financial institutions with fresh capabilities so as to remain undetected.
Its current form has evolved into “do everything” malware that can steal information, install ransomware, & make unauthorised banking transactions.
ZIP Attachments
The latest e-mails seen by the MalwareBytes Labs team include ZIP attachments named “ElectionInterference_[8 to 9 digits].zip” & request that the recipient “Read the document and let me know what you think.”
If a victim is hooked, they click on an Excel spreadsheet that looks as if it were a secure DocuSign file. “Users are tricked to allow macros in order to ‘decrypt’ the document,” researchers explained.
Cyrillic
After the macro is enabled, it downloads malicious material containing the Qbot trojan with the URL encoded in a cell of a Cyrillic-named sheet “Лист3.” After execution, the trojan contacts its command & control server to request instructions for its malicious activity.
Qbot steals & exfiltrates victim data as well as collects e-mails that can be used in future malspam campaigns, researchers observed.
This latest Qbot campaign uses a trick that the team behind the Emotet trojan—considered by the US Govt. to be one of the most prevalent ongoing cyber threats–also has used to “add legitimacy & make detection harder,” Segura & Jazi noted.
Thread Replies
That method is for the e-mails to arrive as ‘thread replies’, in order to try to trick potential victims into believing the message was part of an earlier email conversation.
Indeed, Qbot previously has been linked to Emotet, taking a ride with the malware as part of a distribution method used in a campaign earlier in 2020.
Emotet
Qbot also was one of the pieces of malware distributed in an election-related Emotet spear-phishing campaign in early Oct. that sent 1,000s of malicious emails purporting to be from the US Democratic National Committee to recruit potential Democratic volunteers.
That threat players are taking advantage of the uncertainty of the 2020 election–the official outcome of which remains unknown is no surprise. Security researchers expected that election day & its aftermath would be disrupted by cyber threat players.
Distribute Malware
The current election 2020 situation is perfect for the social-engineering schemes often-used by threat players to mass distribute malware via malicious e-mails, Segura & Jazi observed.
“Threat actors need to get victims to perform a certain set of actions in order to compromise them,” they wrote. “World events such as the Covid pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/