Earlier this month, Kaspersky discovered a Qbot malware spike targeting corporate users, spread via a malicious spam-email campaign. Attackers use advanced social engineering techniques: they intercept existing work correspondence and forward malicious PDF attachments to the same email threads. The last method is considered unusual for this malware. Since April 4, more than 5,000 emails containing PDF attachments have been received in various countries, with the campaign continuing. Kaspersky researchers conducted a technical analysis of the scheme.
Qbot is a notorious banking Trojan that functions as part of a botnet network. It is capable of stealing data such as passwords and work correspondence. Also, it allows threat actors to control an infected system and install ransomware, or other Trojans on other devices in the network. The operators of the malware use various distribution schemes, including sending emails with malicious PDF attachments – not commonly observed within this campaign before.
Example of a forwarded email with a malicious PDF attachment. The message from the attacker is over the line
Since early April, Kaspersky observed a spike in activity from a spam email campaign using this particular scheme with PDF attachments. The wave began on the evening of April 4, and since then the experts have discovered more than 5,000 spam emails with PDF files spreading this malware in English, German, Italian, and French.
The banker is distributed through the real work correspondence of a potential victim, stolen by cybercriminals. They forward an email to all participants of the existing thread and usually ask them to open the malicious PDF attachment under various plausible circumstances. For example, attackers could ask to share all the documentation related to the attachment or calculate the amount of the contract according to the costs estimated in the attachment.
“We recommend companies stay vigilant because Qbot malware is very harmful, even though its core functionality hasn’t changed over the last two years. The operators are constantly enhancing their techniques, adding new convincing elements of social engineering. This increases the likelihood that an employee will fall victim to the ploy. To remain safe, carefully check various red flags, such as sender’s email address spelling, weird attachments, grammatical errors, and so on. In addition, specialised cybersecurity solutions can help ensure the security of corporate emails”, said Darya Ivanova, Malware Analyst at Kaspersky.
The content of the PDF file is an image mimicking a notification from Microsoft Office 365 or Microsoft Azure. If a user clicks ‘Open’, the malicious archive downloads to their computer from a remote server (compromised website).
Kaspersky experts conducted a detailed technical analysis of this scheme. It is available on Securelist.
To protect your organisation from related threats, Kaspersky experts recommend:
- Checking the sender’s address. Most spam comes from email addresses that don’t make sense or appear as gibberish. By hovering over the sender’s name, which itself may be spelled oddly, you can see the full email address. If you’re not sure if an email address is legitimate or not, you can put it into a search engine to check.
- Being wary of the message creating a sense of urgency. Spammers often try to apply pressure by creating a sense of urgency. For example, the subject line may contain words like “urgent” or “immediate action required” – to pressure you into acting.
- Providing your staff with basic cybersecurity hygiene training; also conducting a simulated phishing attack to ensure that they know how to distinguish phishing emails and genuine ones.
- Using a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through a phishing.
- Installing a reliable security solution such as Kaspersky Secure Mail Gateway, which automatically filters out spam messages.