A phishing campaign has been detected that is being used to deliver QBot malware, one of the oldest malware families still in use. QBot malware has been around since at least 2009 and is known by many different names, including QakBot, QuackBot and Pinkslipbot. One of the primary functions of the malware is to steal passwords, although the latest variants also serve as a backdoor into victims’ systems. As is the case with many other Trojan malware variants, the group operating the malware works as an initial access broker for ransomware gangs. After the gang has achieved its aims, access to compromised devices is sold to ransomware gangs.
The threat actors behind QBot malware have previously worked with the operators of the Emotet botnet, and used the Emotet malware for delivering QBot; however, the law enforcement takedown of the Emotet botnet in January 2021 forced the group to switch attack vectors, and since then QBot malware has been primarily distributed using phishing emails. Now the group has been observed using a new tactic in its phishing campaigns that use Scalable Vector Graphics (SVG) files.
One of the ways that these campaigns can be identified and avoided is through security awareness training for the workforce to educate employees about the risks of opening files sent via email. One of the standard tenets of security awareness training has been to tell employees not to open files in unsolicited emails or from unknown individuals. That advice is not particularly helpful, as employees are often required to open emails from unknown individuals or unsolicited messages as part of their jobs, and in this case, that advice would not be effective.
QBot, like Emotet, is capable of hijacking message threads on infected devices and inserting its malicious content. In this campaign, a previous email correspondence is hijacked and text is inserted and the message is sent. That text is simple, yet effective “Good afternoon, Take a look at the attached file. Thanks.” The email will have been sent from a genuine email address, the individual is known to the recipient, and the email is not unsolicited as there has been a previous conversation. The only clue that the message is not a genuine reply is the email conversation is old. In this case, from two years ago.
It is important to provide security awareness training to the workforce but in order to be effective, the training needs to be ongoing and should include examples of the latest phishing techniques, such as this technique for distributing QBot.