In their quest for data theft, QBot Trojan operators have had a change of tactics to hijack legitimate emailed conversations. During which these operators are looking to steal credentials and financial data.

Cybersecurity researchers from Check Point, only yesterday published research on an alarming new trend. The research reported that this new trend sees Microsoft Outlook users vulnerable to a component that is designed to compromise email threads on infected machines

Certainly, having claimed at least 100,000 victims across many different countries is QBot, also called Qakbot and Pinkslipbot a form of malware. QBot trojan was discovered in 2008 and with its many different abilities has been nicknamed a “swiss army knife” malware. For instance, it acts not only as an information stealer but can deploy ransomware., amongst other deadly abilities.

In addition to its current deadly features, detected in a- number of campaigns between March and August, a new variant of Qbot has emerged. And it’s being deployed as a malicious payload by operators of the Emotet Trojan. In July of this year, researchers estimated that roughly 5% of the organisations worldwide were impacted by one particularly extensive campaign.

QBot malware lands on an at- risk machine by phishing documents. Calling the payload from one of six hardcoded encrypted URLs that were contained in URLs to .ZIP files that serve VBS content.

So, the new modern QBot variant described by Check Point as an “email collector module” once the PC has been infected extracts all email threads contained within an Outlook client. After that, it uploads these threads to the attacker’s command-and-control centre, their (C2) server.

Threads that have been hijacked are then used by the attacker to go deeper and propagate the malware further. unwitting readers thinking that the email sent by a legitimate threat is a genuine message. Therefore, being more inclined to click on infected attachments.

Some of the most tracked subjects include;

  1. tax payment reminders,
  2. job recruitment content,
  3. COVID-19-related messages. 

Meanwhile the list of Qbot’s sinister abilities include steal browsing data, email records and banking credentials. And to harvest passwords, one of the Trojan’s modules downloads Mimikatz.

Furthermore the malware can install malicious payloads including ransomware such as ProLock by using browser web injections. In addition, Qbots ar eable to connect infected machines as slave nodes in a wider botnet. These can be armed up in order to conduct DDoS attacks – distributed denial-of-service. Lastly as this “swiss army knife” is ever-evolving malware, one of the new features is the ability to remotely fetch and install updates and new modules. 

As a result of QBot’s deadly weapon, they’ve been focusing on the government, military, and manufacturing entities in US and Europe, evidenced by launching their malspam campaign this month.  For example, the researchers are saying,

“These days Qbot is much more dangerous than it was previously — it has active malspam campaigns which infects organizations, and it manages to use a third-party infection infrastructure like Emotet’s to spread the threat even further.”