The new QBot email malware attacks are the latest case where threat actors use phishing, PDF, and WSF to deploy malware. Let us see what QBot is, how it works, and how to protect yourself against QBot malware.
The cybersecurity world knows QBot as a banking trojan software that evolved into malware, providing initial access to enterprise networks for malicious actors to drop their payloads.
QBot enables malicious software like Cobalt Strike, Brute Ratel, and others to access corporate network devices, spread laterally through the network, steal critical information, and deploy ransomware in extortion attacks. Let us see how QBot works and how serious this new threat is.
How does QBot Work?
QBot initially started as a banking trojan but has evolved into malware that can cause harm by infiltrating corporate networks and dropping payloads on compromised devices. Here is how QBot works:
- Initial Access and Lateral Movement: QBot provides a foothold to the threat actors by exploiting unpatched software vulnerabilities or phishing attacks on an organization’s employees.
- Distribution Through Phishing: QBot relies on reply-chain phishing emails, where threat actors use stolen email exchanges and reply to them with links to malware or malicious attachments. These phishing emails are in multiple languages.
- PDF and WSF Attachment: The phishing emails include a PDF file named ‘CancelationLetter-[number].pdf,’ which, when opened, displays a message stating that the document contains protected files. When the victim opens the file, a ZIP file containing a WSF (Windows Script File) is downloaded instead that includes a mixture of JScript and VBScript code executed when the file is double-clicked and runs a PowerShell script on the victim’s device.
- PowerShell Script and DLL Download: The PowerShell script attempts to download a DLL (Dynamic Link Library) from a list of URLs (Uniform Resource Locators) until it is executed to inject the malware into the legitimate Windows Error Manager program.
Image sourced from trellix.com
QBot Analysis: How QBot Can Hack Your System in Minutes
QBot is a severe threat as it has the capability to steal sensitive information from infected systems. The malware can spread itself across multiple networks and devices and make away with login credentials, personal information, and financial data. Did you know the QBot malware can take down a system within minutes?
Researchers at DFIR Report published a case study on the QBot malware, highlighting that it can establish its presence within a system and take it down in 30 minutes.
QBot employs various techniques such as password brute-forcing, social engineering, and malicious phishing emails with PDF attachments to gain access to a network and installs the malware, and exfiltrates data by establishing a C2 (Command and Control) server on the victim’s system.
Impact of a QBot Attack | Additional Ransomware Deployment on the Victim Systems
QBot email attacks are a significant threat to corporate networks as they provide threat actors a gateway to establish a system presence and carry out all malicious activities. The QBot email malware attacks also lead to further ransomware attacks as QBot acts as a conduit for notorious RaaS (Ransomware-as-a-Service) operatives, such as REvil, ProLock, MegaCortex, PwndLocker, Egregor, and BlackBasta.
It is paramount for individuals and organizations to stay vigilant against QBot and take all necessary precautions to keep this novel threat at bay. Some approaches you can adopt include exercising caution when opening malicious emails, implementing robust security mechanisms, and regularly updating and patching all systems.
How to Protect Against a QBot Attack?
The QBot email malware attack is a severe threat that must be detected and stopped immediately. To safeguard against QBot attacks, organizations and individuals need to pay attention to its distribution methodology.
Since the malware spreads quickly and can invite multiple ransomware models to the victim’s system, organizations should take a system offline if a QBot infection is detected. By halting all systems, organizations can control the spread of malware and execute all security protocols to take care of the incident.
Organizations will be able to prevent any damage to the network and will be able to take steps to detect, contain, and remediate the QBot attack effectively.
Cybercriminals keep improvising their attack methodologies to gain the upper hand over cybersecurity strategies adopted by enterprise networks. The latest QBot email attacks have proved innovative because they use the reply-chain mechanism to launch malware.
However, reply-chain mechanisms are usually trustworthy because of the continuity in the conversation chain. Therefore, cybersecurity experts should be wary of the latest QBot email attack vectors employed by malicious actors to enable access to more harmful malware and cripple the entire enterprise network. By understanding the new threats as they emerge, organizations will be better prepared with the latest phishing protection solutions to handle such an incident if it occurs.