Qbot's New Version Can Hijack Email Threads
The online threat landscape is a very peculiar place. It shifts and changes all the time, and we see new names come in while old ones drop out every single day. In light of all this, you might expect that a malware family that appeared more than ten years ago would now be nothing more than a distant memory. As Check Point researchers pointed out yesterday, however, the Qbot banking trojan is proof that this is not always the case.
Also known as QakBot, it first appeared in 2008, but twelve years on, it's still going strong. Initially, Qbot's functionality revolved around stealing banking passwords and other sensitive data, but as the researchers pointed out, over the years, it has gained such a diverse array of additional features, that it's sometimes referred to as the "Swiss Army knife" of malware. This doesn't mean that Qbot's authors are going to stop here, though. In fact, the purpose of Check Point's report was to detail the trojan's most recent updates.
You can teach an old bot new tricks
Between March and June, Qbot was in the middle of a big campaign, but it then stopped spreading, and the experts thought that the malware's operators had given it a break in order to add some tweaks and adjustments. They were expecting the update to take a bit longer, but in late-July, the infamous Emotet trojan started a massive malspam campaign, and many of the malicious messages carried a new version of Qbot. In a matter of days, Qbot's operators released yet another version, with even more new features. It's a big campaign, and thanks to a new module, the hackers want to ensure that a large portion of the people who receive the email will end up infected with the malware.
For the most part, the infection is pretty much a standard Qbot operation. The victim receives an email with a link to a ZIP archive hosted on a compromised WordPress website. Inside the ZIP, the user finds a file that, if opened, triggers the infection. Up until April, Qbot's operators put macro-laced Word documents inside the malicious ZIPs, but they have since switched to Visual Basic Scripts (VBS). The VBS contacts one of the distributions sites and downloads the initial payload, which sets the scene for the actual trojan. The initial payload performs a couple of checks to ensure that it's not running in a sandbox environment and makes some registry changes to achieve persistence. Finally, when it's sure that it's safe to continue, it deploys the main Qbot payload.
The most recent updates didn't really bring any major changes. Qbot can still steal passwords, credit card details, and other sensitive information. It can log into the victim's banking account and make transactions on their behalf, and it can also install other malware strains if it's instructed to.
The experts said that they saw some other modules that help with lateral movement across a network, but they decided not to elaborate on them because they saw a new functionality that was more noteworthy.
Qbot can hijack your email conversations
The new module is designed to steal entire threads from the victim's Outlook email clients. This is already bad news because although experts have been warning about the dangers of sharing sensitive information over email, people continue to fill their messages with data that can cause extreme damage if it falls into the wrong hands.
The hackers aren't stealing people's email threads because they want the information inside them, though. They are doing it so that they can reply on behalf of the victim that has already been infected with Qbot and trick the other participant in the conversation into installing the malware as well. Check Point's experts said that they've seen the crooks hijacking email threads and sending malicious links in messages revolving around anything from the COVID-19 pandemic to tax payment reminders.
This is one of the hackers' cleverest moves. People are now wary enough of emails that distribute malware, and they tend to be a bit more careful with the messages they find in their inboxes. If the links are coming from a person they know and have already communicated with, however, the targets are much more likely to click on them.
Qbot's latest update doesn't change the main functionality of the malware, but despite this, it shows that its operators have far from given up on it. Although it's now more than a decade old, it's more formidable than ever.