Earlier this month, Kaspersky discovered a Qbot malware spike targeting corporate users, spread via a malicious spam-email campaign. Attackers use advanced social engineering techniques: they intercept existing work correspondence and forward malicious PDF attachments to the same email threads. The last method is considered unusual for this malware. Since April 4, more than 5,000 emails containing PDF attachments have been received in various countries, with the campaign continuing. Kaspersky researchers conducted a technical analysis of the scheme.
Qbot is a notorious banking Trojan that functions as part of a botnet network. It is capable of stealing data such as passwords and work correspondence. Also, it allows threat actors to control an infected system and install ransomware, or other Trojans on other devices in the network. The operators of the malware use various distribution schemes, including sending emails with malicious PDF attachments - not commonly observed within this campaign before.
Example of a forwarded email with a malicious PDF attachment. The message from the attacker is over the line
Since early April, Kaspersky observed a spike in activity from a spam email campaign using this particular scheme with PDF attachments. The wave began on the evening of April 4, and since then the experts have discovered more than 5,000 spam emails with PDF files spreading this malware in English, German, Italian, and French.
The banker is distributed through the real work correspondence of a potential victim, stolen by cybercriminals. They forward an email to all participants of the existing thread and usually ask them to open the malicious PDF attachment under various plausible circumstances. For example, attackers could ask to share all the documentation related to the attachment or calculate the amount of the contract according to the costs estimated in the attachment.
“We recommend companies stay vigilant because Qbot malware is very harmful, even though its core functionality hasn’t changed over the last two years. The operators are constantly enhancing their techniques, adding new convincing elements of social engineering. This increases the likelihood that an employee will fall victim to the ploy. To remain safe, carefully check various red flags, such as sender’s email address spelling, weird attachments, grammatical errors, and so on. In addition, specialized cybersecurity solutions can help ensure the security of corporate emails,” said Darya Ivanova, Malware Analyst at Kaspersky.
The content of the PDF file is an image mimicking a notification from Microsoft Office 365 or Microsoft Azure. If a user clicks ‘Open’, the malicious archive downloads to their computer from a remote server (compromised website).
Kaspersky experts conducted a detailed technical analysis of this scheme. It is available on Securelist.
To protect your organization from related threats, Kaspersky experts recommend: