{"id":18530,"date":"2021-07-09T14:19:26","date_gmt":"2021-07-09T10:19:26","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/18530\/"},"modified":"2021-07-09T14:19:26","modified_gmt":"2021-07-09T10:19:26","slug":"icedid-qbot-banking-trojans-in-spam","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/18530\/","title":{"rendered":"Banking Trojans in a business wrapper"},"content":{"rendered":"<p>For employees facing hundreds of e-mails, the temptation to speed-read and download attachments on autopilot can be great. Cybercriminals, of course, take advantage, sending out seemingly important documents that might contain just about anything from <a href=\"https:\/\/www.kaspersky.com\/blog\/office-365-phishing-via-gdocs\/39828\/\" target=\"_blank\" rel=\"noopener nofollow\">phishing links<\/a> to malware. Our experts recently <a href=\"https:\/\/securelist.com\/malicious-spam-campaigns-delivering-banking-trojans\/102917\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> two very similar spam campaigns distributing the IcedID and Qbot <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/banker-trojan-banker\/\" target=\"_blank\" rel=\"noopener\">banking Trojans<\/a>.<\/p>\n<h2>Spam with malicious documents<\/h2>\n<p>Both e-mails were disguised as business correspondence. In the first case, the attackers demanded compensation for some bogus reason or said something about canceling an operation. Attached to the message was a zipped Excel file named CompensationClaim plus a series of numbers. The second spam mailing had to do with payments and contracts and included a link to the hacked website where the archive containing the document was stored.<\/p>\n<p>In both cases, the attackers\u2019 aim was to persuade the recipient to open the malicious Excel file and run the macro in it, thus downloading either IcedID or (less commonly) Qbot to the victim\u2019s machine.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-banking\">\n<h2>IcedID and Qbot<\/h2>\n<p>The IcedID and Qbot banking Trojans have been around for years, with IcedID first <a href=\"https:\/\/threatpost.com\/new-icedid-trojan-targets-us-banks\/128851\/\" target=\"_blank\" rel=\"nofollow noopener\">coming to researchers\u2019 attention<\/a> back in 2017 and Qbot in service <a href=\"https:\/\/threatpost.com\/qbot-trojan-us-banking-customers\/156624\/\" target=\"_blank\" rel=\"nofollow noopener\">since 2008<\/a>. Moreover, attackers are constantly honing their techniques. For example, at one point they hid the main component of IcedID in a PNG image using a trick called <a href=\"https:\/\/www.kaspersky.com\/blog\/digital-steganography\/27474\/\" target=\"_blank\" rel=\"noopener nofollow\">steganography<\/a> that is pretty hard to detect.<\/p>\n<p>Today, both malware programs are available on the shadow market; in addition to their creators, numerous clients distribute the Trojans. The malware\u2019s main task is to steal bank card details and login credentials for bank accounts, preferably business accounts (hence the businesslike e-mails). To achieve their objectives, the Trojans employ various methods. For example, they may:<\/p>\n<ul>\n<li>Inject a malicious script into a Web page to intercept user-entered data;<\/li>\n<li>Redirect online banking users to a fake login page;<\/li>\n<li>Steal data saved in the browser.<\/li>\n<\/ul>\n<p>Qbot can also log keystrokes to intercept passwords.<\/p>\n<p>Unfortunately, theft of payment data is not the only trouble that awaits victims. For example, IcedID can download other malware, including ransomware, to infected devices. Meanwhile, Qbot\u2019s tricks include <a href=\"https:\/\/research.checkpoint.com\/2020\/exploring-qbots-latest-attack-methods\/\" target=\"_blank\" rel=\"nofollow noopener\">stealing e-mail threads<\/a> for use in further spam campaigns, and providing its operators with remote access to victims\u2019 computers. On work machines in particular, the consequences can be serious.<\/p>\n<h2>How to stay safe from banking Trojans<\/h2>\n<p>No matter how crafty cybercriminals can be, you don\u2019t need to reinvent the wheel to stay safe. Both of the spam campaigns in question rely on recipients taking risky actions \u2014 if they don\u2019t open the malicious file and let it execute the macro, the scheme simply will not work. To reduce your chances of becoming a victim:<\/p>\n<ul>\n<li>Check the sender\u2019s identity, including the domain name. Someone claiming to be a contractor or a corporate client but using a Gmail address, for example, may be suspicious. And if you simply don\u2019t know who the sender is, check with colleagues;<\/li>\n<li>Prohibit macros by default, and treat documents that require you to enable macros or other content with suspicion. Never run a macro unless you\u2019re absolutely sure the file needs it \u2014 and is safe;<\/li>\n<li>Install a <a href=\"https:\/\/me-en.kaspersky.com\/plus?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kplus___\" target=\"_blank\" rel=\"noopener\">reliable security solution<\/a>. If you work on a personal device, or your employer is lax when it comes to workstation protection, make sure it\u2019s protected. Our products detect both IcedID and Qbot.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-banking\">\n","protected":false},"excerpt":{"rendered":"<p>Spammers are using malicious macros to distribute IcedID and Qbot banking malware in seemingly important documents.<\/p>\n","protected":false},"author":2477,"featured_media":18531,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[702,2470,2471,2102,2472,240],"class_list":{"0":"post-18530","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-banking-trojans","9":"tag-icedid","10":"tag-macros","11":"tag-malicious-attachments","12":"tag-qbot","13":"tag-spam"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/18530\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/icedid-qbot-banking-trojans-in-spam\/23048\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/25003\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/icedid-qbot-banking-trojans-in-spam\/23011\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/22303\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/icedid-qbot-banking-trojans-in-spam\/25622\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/icedid-qbot-banking-trojans-in-spam\/25092\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/icedid-qbot-banking-trojans-in-spam\/31030\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/icedid-qbot-banking-trojans-in-spam\/9823\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/icedid-qbot-banking-trojans-in-spam\/40552\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/icedid-qbot-banking-trojans-in-spam\/17313\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/icedid-qbot-banking-trojans-in-spam\/15035\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/icedid-qbot-banking-trojans-in-spam\/27052\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/icedid-qbot-banking-trojans-in-spam\/31215\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/icedid-qbot-banking-trojans-in-spam\/27280\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/icedid-qbot-banking-trojans-in-spam\/24090\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/icedid-qbot-banking-trojans-in-spam\/29425\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/icedid-qbot-banking-trojans-in-spam\/29217\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/banking-trojans\/","name":"banking trojans"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18530"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18530\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18531"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}