Go to listing page

Qbot Takes New Distribution Method to Infect Korean Users

Qbot Takes New Distribution Method to Infect Korean Users
Qakbot (aka Qbot and Pinkslipbot) has long evolved from a banking trojan into a multi-purpose botnet that can perform a myriad range of tasks. AhnLab has identified a new campaign that propagates Qbot via malicious PDF files attached to replies or forwards to existing emails.

Diving into details

  • The email is disguised as a hijacked normal email, with a reply sent to the target user, along with a malicious file attached. 
  • The recipient addresses are obtained from the original email's recipients and CC list. Notably, the dates of the original emails span a wide range from 2018 to 2022, indicating that they are not recent. 
  • The contents of the replies are unrelated to the original email. However, they contain messages that entice users to open the attachment.

Getting infected

  • Upon opening the PDF files, users are presented with a page displaying the Microsoft Azure logo, along with a persuasive message urging them to click the "Open" button.
  • Subsequently, the user is redirected to a malicious URL. Upon establishing a connection, a password-protected compressed ZIP file is downloaded. 
  • Further investigation of the decompressed file revealed obfuscated script code hidden among dummy text, designed to evade antivirus detection.

More on Qakbot

According to a Cofense report, Qakbot became one of the top malware families being used in phishing attacks, throughout 2022. 
  • In March, researchers spotted a network intrusion, in which the threat actors gained initial access via Qbot and later deployed the Black Basta ransomware.  
  • In a February campaign, the malware operators started experimenting with OneNote as a new distribution method. Dubbed QakNote, the spam campaign disseminated Microsoft OneNote attachments embedded with an HTML file.

The bottom line

Qbot or Qakbot follows a destructive attack pattern, shifting from one tactic to another for maximum profits. As multiple campaigns in similar formats keep popping up, researchers have advised against opening emails from unknown sources and updating their antivirus software to the latest version.
Cyware Publisher

Publisher

Cyware