Qbot's New Version Can Hijack Email Threads

Qbot Latest Version Hijacks Email Threads

The online threat landscape is a very peculiar place. It shifts and changes all the time, and we see new names come in while old ones drop out every single day. In light of all this, you might expect that a malware family that appeared more than ten years ago would now be nothing more than a distant memory. As Check Point researchers pointed out yesterday, however, the Qbot banking trojan is proof that this is not always the case.

Also known as QakBot, it first appeared in 2008, but twelve years on, it's still going strong. Initially, Qbot's functionality revolved around stealing banking passwords and other sensitive data, but as the researchers pointed out, over the years, it has gained such a diverse array of additional features, that it's sometimes referred to as the "Swiss Army knife" of malware. This doesn't mean that Qbot's authors are going to stop here, though. In fact, the purpose of Check Point's report was to detail the trojan's most recent updates.

You can teach an old bot new tricks

Between March and June, Qbot was in the middle of a big campaign, but it then stopped spreading, and the experts thought that the malware's operators had given it a break in order to add some tweaks and adjustments. They were expecting the update to take a bit longer, but in late-July, the infamous Emotet trojan started a massive malspam campaign, and many of the malicious messages carried a new version of Qbot. In a matter of days, Qbot's operators released yet another version, with even more new features. It's a big campaign, and thanks to a new module, the hackers want to ensure that a large portion of the people who receive the email will end up infected with the malware.

For the most part, the infection is pretty much a standard Qbot operation. The victim receives an email with a link to a ZIP archive hosted on a compromised WordPress website. Inside the ZIP, the user finds a file that, if opened, triggers the infection. Up until April, Qbot's operators put macro-laced Word documents inside the malicious ZIPs, but they have since switched to Visual Basic Scripts (VBS). The VBS contacts one of the distributions sites and downloads the initial payload, which sets the scene for the actual trojan. The initial payload performs a couple of checks to ensure that it's not running in a sandbox environment and makes some registry changes to achieve persistence. Finally, when it's sure that it's safe to continue, it deploys the main Qbot payload.

The most recent updates didn't really bring any major changes. Qbot can still steal passwords, credit card details, and other sensitive information. It can log into the victim's banking account and make transactions on their behalf, and it can also install other malware strains if it's instructed to.

The experts said that they saw some other modules that help with lateral movement across a network, but they decided not to elaborate on them because they saw a new functionality that was more noteworthy.

Qbot can hijack your email conversations

The new module is designed to steal entire threads from the victim's Outlook email clients. This is already bad news because although experts have been warning about the dangers of sharing sensitive information over email, people continue to fill their messages with data that can cause extreme damage if it falls into the wrong hands.

The hackers aren't stealing people's email threads because they want the information inside them, though. They are doing it so that they can reply on behalf of the victim that has already been infected with Qbot and trick the other participant in the conversation into installing the malware as well. Check Point's experts said that they've seen the crooks hijacking email threads and sending malicious links in messages revolving around anything from the COVID-19 pandemic to tax payment reminders.

This is one of the hackers' cleverest moves. People are now wary enough of emails that distribute malware, and they tend to be a bit more careful with the messages they find in their inboxes. If the links are coming from a person they know and have already communicated with, however, the targets are much more likely to click on them.

Qbot's latest update doesn't change the main functionality of the malware, but despite this, it shows that its operators have far from given up on it. Although it's now more than a decade old, it's more formidable than ever.

By Duran
August 28, 2020
News
English
August 28, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Trojan

Qbot Continues Stealing Vulnerable Passwords

Dozens of malware families appear every day. Many of them are written by less capable hackers and are not that difficult to protect against which means that usually, they fail to make any sort of significant... Read more

May 8, 2019
News

Watch Out for the 'Fix Incoming Email Issues' Email Aimed at Outlook Users

Unfortunately, emails that try to trick you into giving away your login credentials have become so common, that they are now a part of our everyday online existence. Most of these campaigns are not incredibly... Read more

August 27, 2020
How To

How to Change Your Apple ID and Email Address

Did you get a new email address? Or maybe you no longer have access to your old one for some reason. It doesn't matter. All that matters is that you update your Apple ID because it is crucial for protecting your... Read more

March 11, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.