Malicious operators are utilizing a new QBot Trojan to intercept legal electronic messages in order to harvest financial details and credentials.
Security researchers from Check Point have just released a research on one of the latest malware trends where users of Microsoft Outlook are exposed to a specially developed module that is aimed at collecting email threads from compromised computers.
The malicious module is known under the name of QBot, but it is also encountered as Qakbot or Pinkslipbot, and is a prolific type of malware.
So far, the victims of QBot have been estimated at about 100,000, all of which come from different countries including the US, India and Israel.
The first version of this malware has been first described back in 2008 as a Trojan Horse infection with multiple malicious abilities. According to the information that has been published, QBot can be used as a ransomware deployment tool, aside from being able to steal information from the infected machines.
Several research campaigns conducted between March and August this year have detected a new version of QBot, which is being deployed by operations of the Emotet Trojan. Researchers report that, according to their estimations, about 5% of the organizations worldwide have been impacted by this threat in an especially comprehensive campaign conducted in July.
From what has been published in the report it becomes clear that the malware typically lands on vulnerable machines through phishing documents that contain URLs to .ZIP files which serve VBS content. These files call the malicious payload from one of six heavily encrypted URLs.
When a computer becomes compromised, a new feature added in the latest QBot version, known as “E-Mail Collector Module”, can retrieve all e-mail threads found in Outlook clients and then submit them to the command-and-control servers of the attackers.
The threads that have been stolen are then used for further dissemination of the malware. They are sent to unsuspecting readers that may assume they are genuine and, in this way, they may easily click on the contaminated attachments. Tax payment alerts, career recruiting details and COVID-19-based information are the main subjects that typically are used by the malware distributors.
According to the information in the released research, QBot can steal email records, browsing data, online banking credentials and more. The Trojan also has a module that secretly downloads a password stealer named Mimikatz inside the compromised computer.
The malware is also capable of downloading harmful payloads like the ProLock Ransomware. QBot often links the compromised computers to a larger botnet as slave nodes, which could be equipped to strike a distributed denial of service (DDoS) attacks. QBot’s latest function is to download and install updates and the latest modules remotely.
Researchers are warning that QBot is much more dangerous then before since it has launched a new malicious spam campaign this month, the target of which are US-based and European governmental institutions, military, and manufacturing entities.