Revamped Qbot Trojan Packs New Punch: Hijacks Email Threads

New version of trojan is spreading fast and already has claimed 100,000 victims globally, Check Point has discovered.

Attacks attributed to the Qbot trojan, known as the “Swiss Army knife” of malware, are on the uptick with a reported 100,000 recent infections, according to researchers.

Qbot, an ever-evolving information-stealing trojan that’s been around since 2008, has shifted tactics again and adopted a bevy of new techniques, according to researchers at Check Point who released a report on their findings Thursday. For example, one new Qbot feature hijacks a victim’s Outlook-based email thread and uses it to infect other PCs.

The 12-year-old malware resurface in January 2020, according to F5 researchers, who issued a report in June detailing new Qbot evasive features to avoid detection.

“We assumed that the campaign was stopped [after June] to allow those behind QBot to conduct further malware development, but we did not imagine that it would return so quickly,” wrote Alex Ilgayev, the Check Point researcher behind the report.

Ilgayev now says Check Point has identified several fresh campaigns in recent months. One of those campaigns hitched a ride with the Emotet botnet, which also recently resurfaced after a five-month hiatus. This they said signals a new distribution technique. That single campaign impacted 5 percent of organizations globally in July, Check Point said. Researchers also suspect that Qbot has a renewed command-and-control infrastructure.

“Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat,” Yaniv Balmas, head of cyber research at Check Point said in an email to Threatpost. “The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals.”

So far, most of the victims of the new Qbot campaigns have been in the United States, where 29 percent of Qbot attacks have been detected, followed by India, Israel and Italy, according to Check Point.

Perhaps most troubling about the recent manifestation of Qbot is how it turns people’s own inboxes against them. Once installed, the trojan sends specially crafted emails to the target organizations or individuals, each with a URL to a ZIP with a malicious Visual Basic Script (VBS) file, which contains code that can be executed within Windows, researchers said.

If the file is executed, Qbot then activates a special “email collector module” to extract all email threads from the victim’s Outlook client, which it then uploads to a hardcoded remote server.

“These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation,” researchers wrote.

The trojan picks off threads with timely and relevant subject material to try to fool victims; in the recent campaigns, Check Point researchers observed Qbot stealing emails related to Covid-19, tax-payment reminders and job recruitments.

Once it’s unleashed, Qbot boasts a number of capabilities, any of which would be problematic for victims on its own, researchers observed.

The malware can steal information from infected machines, including passwords, emails and credit card details, they said. It also can install malware, including ransomware, on other machines, or connect to a victim’s computer using the Bot controller to make bank transactions from that IP address, according to Check Point.

In addition to the usual email security protections, Check Point is advising people to be especially vigilante with any email that appears to be suspicious or remotely phish-y–even if the sender is someone they know–to avoid falling victim to the revamped Qbot, Balmas said.

“I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt–even when the email appears to come from a trusted source,” he said.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles