Threat Awareness – Qbot Malware Propagating via Email Hijacking

Qbot malware is once again propagating by exploiting companies email chains, allowing the threat actors behind the malware to compromise more victims and conduct other malicious activities, according to security researchers at Kaspersky.

Qbot/Qakbot, which WaterISAC has reported on numerous times, is a highly modular malware used for many malicious activities such as credential harvesting and dropping ransomware. In this latest campaign, threat actors associated with Qbot are exploiting legitimate email correspondence chains to send phishing emails, known as email hijacking, in order to infect a victim with the malware. According to the researchers, the malicious campaign utilizes messages written in different languages, including English, German, Italian and French. To make the emails appear more authentic, the threat actors put the sender’s name from the previous message in the “From” field; however, users can spot this because the sender’s fake e-mail address would be different from that of the original sender. Additionally, the researchers note the fraudulent emails they observed typically urged the recipient to download an attached pdf file, which when a user interacts with the pdf ultimately leads to a Qbot infection. Read more at Info-Security Magazine.

Additional WaterISAC Reporting on Qbot/Qakbot:

• DHS Report on Threat Actors Exploiting OneNote to Deliver Qakbot and IcedID Malware
• Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain
• Qbot Displaces Emotet as Most Prevalent Malware in December 2022, New Report Finds
• Threat Awareness – Qbot Steals Sensitive Data Minutes after the Initial Infection