Check Point researchers
show how Qbot trojan has evolved to hijack email threads to execute password
and credit card theft, ransomware installation and unauthorized banking
transactions
· Over
100,000 current victims estimated globally, making it the most widespread
malware currently
· Qbot
collects legitimate emails from infected users’ Outlook to try and trick new
victims by hijacking genuine email conversations
·
Security researchers at Check Point have detected
an evolved and more dangerous form of a notorious information-stealing trojan
that is spreading fast globally, targeting both organizations and individuals.
First identified in 2008, the Qbot trojan harvests browsing data and financial
information, including online banking details.
Check
Point’s researchers found several campaigns using Qbot’s new strain between
March and August 2020. In one of the campaigns, Qbot was being distributed by
the Emotet trojan, a banking Trojan that can steal data by eavesdropping on
network traffic, leading Check Point researchers to believe that Qbot has new
malware distribution techniques, as well as a renewed command and control
infrastructure. This campaign involving distribution by Emotet impacted 5%
of organizations globally in July 2020.
New strain. new capabilities.
The
latest version of Qbot has evolved to become highly structured and
multi-layered, extending its capabilities. The information stealing trojan has
become the malware equivalent of a Swiss Army knife, according to researchers,
capable of:
· Information
theft. Stealing information from infected machines,
including passwords, emails, credit card details and more.
· Ransomware
installation. Installing other malware on infected
machines, including ransomware
· Unauthorized
banking transactions. Allowing the Bot controller to connect to the
victim's computer (even when the victim is logged in) to make banking
transactions from the victim's IP address
Email thread hijacking
The
initial infection chain starts by sending specially crafted emails to the
target organizations or individuals. Each of the emails contain a URL to a ZIP
with a malicious Visual Basic Script (VBS) file, which contains code that can
be executed within Windows.
Once
a machine is infected, Qbot activates a special ‘email collector module’ which
extracts all email threads from the victim's Outlook client, and uploads it to
a hardcoded remote server. These stolen emails are then utilized for future
malspam campaigns, making it easier for users to be tricked into clicking on
infected attachments because the spam email appears to continue an existing
legitimate email conversation. Check Point’s researchers have seen
examples of targeted, hijacked email threads with subjects related to Covid-19,
tax payment reminders, and job recruitments.
Yaniv
Balmas, Head of Cyber Research at Check Point said: “Our research shows
how even older forms of malware can be updated with new features to make them a
dangerous and persistent threat. The threat actors behind Qbot are
investing heavily in its development to enable data theft on a massive scale
from organizations and individuals. We have seen active malspam campaigns
distributing Qbot directly, as well as the use of third-party infection
infrastructures like Emotet's to spread the threat even further. We hope that
our observations and research into Qbot will help put an end to the threat. For
now, I strongly recommend people to watch their emails closely for signs that
indicate a phishing attempt – even when the email appears to come from a
trusted source.”
To
help organizations and individuals protect themselves against these types of
phishing attacks, Check Point recommends the following:
1. Incorporate
email security. Email is by far the number one vector for attackers to
infiltrate networks and PCs, and steal data. Phishing emails baiting users to
expose their organization credentials or to click on a malicious link/file are
the number one threat in the email space. Organizations must always incorporate
an email security solution, designed to prevent such attacks automatically
utilizing continuously updated security engines.
2. Be
suspicious. Be wary of emails that contain unknown attachments
or unusual requests, even if they appear to originate from trusted
sources. It’s always better to check the email is legitimate before
clicking a link or an attachment.
3. Add
verification. When dealing with bank transfers, always make sure to
add a second verification by either calling the person who asked to make the
transfer or calling the receiving party.
4. Notify
business partners. If an email breach has been detected in your
organization, make sure to notify all your business partners as well – any
delay in notification only works for the benefit of the attacker.
Full details of the researchers’ analysis of Qbot’s
latest features and attacks are at: https://research.checkpoint.
The
Attacked Organizations by Country