Phishing campaigns are a popular and often effective means of cyberattack as they rely on social engineering and human frailty to achieve their goals. Some campaigns are general in nature, aimed at a large and random group of people. Others are more specific and conduct careful research beforehand to better target specific individuals. A new phishing campaign analyzed by threat intelligence provider Check Point reveals how the old Qbot trojan has been repurposed to phish people by capturing their email threads.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In its Thursday blog post entitled “An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods,” Check Point describes Qbot (also known as Qakbot and Pinkslipbot) as a notorious banking trojan that’s been around since 2008. Known for stealing banking account credentials and other financial data from its victims, Qbot is continuously being updated with new features and capabilities.
Though Qbot has periodically been active for more than a decade, a new and prominent campaign surfaced from March to the end of June this year. After a brief respite, another campaign appeared toward the end of July. This one used the infamous Emotet trojan to install an updated version of Qbot on targeted computers. That discovery led Check Point to uncover a renewed command and control infrastructure and new malware tactics for Qbot courtesy of Emotet.
Traditionally, Qbot is capable of a variety of malicious actions, such as:
- Stealing information from infected machines, including passwords, emails, and credit card details.
- Installing other malware on infected machines, including ransomware.
- Allowing the Bot controller to connect to the victim’s computer (even when the victim is logged in) to make banking transactions from the victim’s IP address.
But the latest strain found in early August has a new trick up its sleeve, namely harvesting email messages. After a computer is infected, Qbot turns on a special “email collector module,” which extracts email threads from the Microsoft Outlook client and uploads them to a remote server. Attackers use these stolen threads for phishing campaigns by making their own scam emails appear to be part of the conversation. Check Point said it found hijacked threads with such subjects as COVID-19, tax payment reminders, and job recruitments.
“Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat,” Yaniv Balmas, head of cyber research at Check Point, said in a press release. “The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet’s to spread the threat even further.”
To protect yourself and your organization from Qbot attacks and other phishing campaigns, Check Point offers the following recommendations:
- Incorporate email security. Email is by far the No. 1 vector for attackers to infiltrate networks and PCs to then steal data. Phishing emails that bait users to expose their organization credentials or click on a malicious link or file are the No. 1 threat in the email space. Organizations must always incorporate an email security solution designed to prevent such attacks automatically by using continuously updated security engines.
- Be suspicious. Be wary of emails that contain unknown attachments or unusual requests, even if they appear to originate from trusted sources. It’s always better to check the email to make sure it’s legitimate before clicking a link or an attachment.
- Add verification. When dealing with bank transfers, always be sure to add a second verification by either calling the person who requested the transfer or by calling the receiving party.
- Notify business partners. If an email breach has been detected in your organization, notify all your business partners. Any delay in notification only works toward the benefit of the attacker.