QBot trojan being distributed through business e-mails

Hackers are distributing the QBot trojan through business correspondence.

QBot Trojan in business e-mail

In early April, Kaspersky experts discovered a mass e-mailing campaign sending messages with a malicious PDF attached. The attackers are taking aim at companies: a dangerous document is attached to business correspondence (we saw e-mails written in English, German, Italian and French). The objective of the campaign is to infect victims’ computers with the QBot malware, also known as QakBot, QuackBot, or Pinkslipbot. Interestingly, about a year ago our specialists observed a similar sudden increase in the flow of e-mails delivering malware (including QBot).

What this attack looks like from the victim’s point of view

The attack is based on “conversation hijacking” tactics. Hackers gain access to genuine business correspondence (QBot, among other things, steals locally stored e-mails from previous victims’ computers) and join the dialogue, sending their messages as if they’re carrying on an old conversation. Their e-mails attempt to convince victims to open an attached PDF file, passing it off as an expenses list or other business paper requiring some kind of rapid reaction.

In reality, the PDF contains an imitation notification from Microsoft Office 365 or Microsoft Azure. This notification tries to get the victim to click on the “Open” button. If the victim does so, a password-protected archive is downloaded onto the computer (with the password in the text of the “notification” itself). Next, the recipient is expected to unpack the archive and run the .wsf (Windows Script File) inside. This is a malicious script that downloads QBot malware from a remote server. A more detailed technical description of all stages of the attack, along with indicators of compromise, can be found here on the Securelist website.

What might a QBot infection lead to?

Our experts classify QBot as a banking Trojan. It allows attackers to mine credentials (logins and passwords) and cookies from browsers, steal correspondence, spy on banking activities, and record keystrokes. It can also install other malware (ransomware for example).

How to stay safe?

In order to protect your company from the actions of cybercriminals, we recommend installing a reliable cybersecurity solution on all corporate devices with internet access. Also helpful is equipping the mail gateway with a product capable of filtering malicious, phishing and spam e-mails. Finally, in order to empower your employees to independently identify attacker’s tricks, it’s necessary to regularly raise their awareness of modern cyberthreats.