Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.
Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.
In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.
The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.
The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.
The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.
In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.
Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.
Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training.