Researchers at Check Point warn that the QBot banking Trojan now has the ability to hijack email threads on infected devices and send malicious emails to the victim’s contacts. The malware’s operators began churning out phishing emails earlier this month after a brief hiatus.
“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server,” the researchers write. ”These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation. Check Point’s researchers have seen examples of targeted, hijacked email threads with subjects related to Covid-19, tax payment reminders, and job recruitments.”
Check Point adds that Qbot can also spread within a network, potentially gaining access to more email accounts from which it can propagate even farther.
“Once the victim has been infected, their computer is compromised, and they are also a potential threat to other computers in the local network because of Qbot’s lateral movement capabilities,” the researchers write. “The malware then checks whether the victim can also be a potential bot as part of Qbot’s infrastructure.”
This campaign is widespread and indiscriminate, but the most-targeted sectors are government, military, manufacturing, insurance/legal, and healthcare. The researchers conclude that Qbot’s developers can be expected to continue adding improvements to their malware.
“These days Qbot is much more dangerous than it was previously – it has[an] active malspam campaign which infects organizations, and it manages to use a ‘3rd party’ infection infrastructure like Emotet’s to spread the threat even further,” they write.
New-school security awareness training can teach your employees to be wary of clicking on links in emails, even if the messages are sent from a trusted account.
Check Point has the story.