{"id":20942,"date":"2023-04-17T06:02:02","date_gmt":"2023-04-17T10:02:02","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/qbot-pdf-mailout\/20942\/"},"modified":"2023-08-21T10:03:01","modified_gmt":"2023-08-21T06:03:01","slug":"qbot-pdf-mailout","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/qbot-pdf-mailout\/20942\/","title":{"rendered":"QBot trojan being distributed through business e-mails"},"content":{"rendered":"<p>In early April, Kaspersky experts discovered a mass e-mailing campaign sending messages with a malicious PDF attached. The attackers are taking aim at companies: a dangerous document is attached to business correspondence (we saw e-mails written in English, German, Italian and French). The objective of the campaign is to infect victims\u2019 computers with the QBot malware, also known as QakBot, QuackBot, or Pinkslipbot. Interestingly, about a year ago our specialists <a href=\"https:\/\/www.kaspersky.com\/blog\/qbot-emotet-spam-mailing\/44144\/\" target=\"_blank\" rel=\"noopener nofollow\">observed a similar sudden increase<\/a> in the flow of e-mails delivering malware (including QBot).<\/p>\n<h2>What this attack looks like from the victim\u2019s point of view<\/h2>\n<p>The attack is based on \u201cconversation hijacking\u201d tactics. Hackers gain access to genuine business correspondence (QBot, among other things, steals locally stored e-mails from previous victims\u2019 computers) and join the dialogue, sending their messages as if they\u2019re carrying on an old conversation. Their e-mails attempt to convince victims to open an attached PDF file, passing it off as an expenses list or other business paper requiring some kind of rapid reaction.<\/p>\n<p>In reality, the PDF contains an imitation notification from Microsoft Office 365 or Microsoft Azure. This notification tries to get the victim to click on the \u201cOpen\u201d button. If the victim does so, a password-protected archive is downloaded onto the computer (with the password in the text of the \u201cnotification\u201d itself). Next, the recipient is expected to unpack the archive and run the .wsf (Windows Script File) inside. This is a malicious script that downloads QBot malware from a remote server. A more detailed technical description of all stages of the attack, along with indicators of compromise, can be found <a href=\"https:\/\/securelist.com\/qbot-banker-business-correspondence\/109535\/\" target=\"_blank\" rel=\"noopener\">here on the Securelist website<\/a>.<\/p>\n<h2>What might a QBot infection lead to?<\/h2>\n<p>Our experts classify QBot as a banking Trojan. It allows attackers to mine credentials (logins and passwords) and cookies from browsers, steal correspondence, spy on banking activities, and record keystrokes. It can also install other malware (ransomware for example).<\/p>\n<h2>How to stay safe?<\/h2>\n<p>In order to protect your company from the actions of cybercriminals, we recommend installing a reliable <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">cybersecurity solution<\/a> on all corporate devices with internet access. Also helpful is equipping the mail gateway <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">with a product capable of filtering malicious, phishing and spam e-mails<\/a>. Finally, in order to empower your employees to independently identify attacker\u2019s tricks, it\u2019s necessary to regularly <a href=\"https:\/\/k-asap.com\/en\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">raise their awareness of modern cyberthreats<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Hackers are distributing the QBot trojan through business correspondence.<\/p>\n","protected":false},"author":2730,"featured_media":20943,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[2629,2095,692],"class_list":{"0":"post-20942","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-bankers","10":"tag-mail","11":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/qbot-pdf-mailout\/20942\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/qbot-pdf-mailout\/25510\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/qbot-pdf-mailout\/28126\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/qbot-pdf-mailout\/25816\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/qbot-pdf-mailout\/26224\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/qbot-pdf-mailout\/28710\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/qbot-pdf-mailout\/35113\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/qbot-pdf-mailout\/47902\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/qbot-pdf-mailout\/20466\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/qbot-pdf-mailout\/21139\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/qbot-pdf-mailout\/30032\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/qbot-pdf-mailout\/26144\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/qbot-pdf-mailout\/31821\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/qbot-pdf-mailout\/31507\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/trojans\/","name":"trojans"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2730"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20942"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20942\/revisions"}],"predecessor-version":[{"id":20990,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20942\/revisions\/20990"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20943"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}