Virtualization Technology News and Information
Qbot malware spike hits corporate emails with malicious PDF

Kaspersky has shared its discovery of a Qbot malware spike targeting corporate users, spread via a malicious spam-email campaign. The attackers used advanced social engineering techniques, intercepting existing work correspondence and forwarding malicious PDF attachments to the same email threads. This method is considered unusual for this malware. Since April 4, the ongoing campaign has sent more than 5,000 emails containing PDF attachments in various countries. Kaspersky researchers conducted a technical analysis of the scheme.

Qbot is a notorious banking Trojan that functions as part of a botnet network. It is capable of stealing data such as passwords and work correspondence. It also allows threat actors to control an infected system and install ransomware or other Trojans on other devices in the network. The operators of the malware use various distribution schemes, including sending emails with malicious PDF attachments - a method which was not commonly observed with this malware in the past.

The banker is distributed through the real work correspondence of a potential victim, stolen by cybercriminals. They forward an email to all participants of the existing thread and usually ask them to open the malicious PDF attachment under various plausible circumstances. For example, attackers could ask the recipient to share all documentation related to the attachment or calculate the amount of the contract according to the costs estimated in the attachment.

"We recommend companies stay vigilant because Qbot malware is very harmful, even though its core functionality hasn't changed over the last two years," said Darya Ivanova, malware analyst at Kaspersky. "The operators are constantly enhancing their techniques, adding new convincing elements of social engineering. This increases the likelihood that an employee will fall victim to the ploy. To remain safe, carefully check various red flags, such as sender's email address spelling, weird attachments, grammatical errors, and so on. In addition, specialized cybersecurity solutions can help ensure the security of corporate emails."

The content of the PDF file is an image mimicking a notification from Microsoft Office 365 or Microsoft Azure. If a user opens it, the malicious archive downloads to their computer from a remote server (compromised website).

Kaspersky experts conducted a detailed technical analysis of this scheme. It is available on Securelist.

To protect your organization from related threats, Kaspersky experts recommend:

  • Checking the sender's address. Most spam comes from email addresses that don't make sense or appear as gibberish. By hovering over the sender's name, which itself may be spelled oddly, you can see the full email address. If you're not sure if an email address is legitimate or not, you can put it into a search engine to check.
  • Being wary of the message creating a sense of urgency. Spammers often try to apply pressure by creating a sense of urgency. For example, the subject line may contain words like "urgent" or "immediate action required" - to pressure you into acting.
  • Providing your staff with basic cybersecurity hygiene training; also conducting a simulated phishing attack to ensure that they know how to distinguish phishing emails and genuine ones.
  • Using a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through a phishing
  • Installing a reliable security solution such as Kaspersky Secure Mail Gateway, which automatically filters out spam messages.
Published Monday, April 17, 2023 3:38 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2023>