Security researchers at Check Point have detected an evolved and more dangerous form of a notorious information-stealing trojan that is spreading fast globally, targeting both organizations and individuals. First identified in 2008, the Qbot trojan harvests browsing data and financial information, including online banking details.

Check Point’s researchers found several campaigns using Qbot’s new strain between March and August 2020. In one of the campaigns, Qbot was being distributed by the Emotet trojan, a banking Trojan that can steal data by eavesdropping on network traffic, leading Check Point researchers to believe that Qbot has new malware distribution techniques, as well as a renewed command and control infrastructure. This campaign involving distribution by Emotet impacted 5% of organizations globally in July 2020.

New strain. new capabilities.
The latest version of Qbot has evolved to become highly structured and multi-layered, extending its capabilities. The information stealing trojan has become the malware equivalent of a Swiss Army knife, according to researchers, capable of:

• Information theft. Stealing information from infected machines, including passwords, emails, credit card details and more.
• Ransomware installation. Installing other malware on infected machines, including ransomware
• Unauthorized banking transactions. Allowing the Bot controller to connect to the victim’s computer (even when the victim is logged in) to make banking transactions from the victim’s IP address

Email thread hijacking
The initial infection chain starts by sending specially crafted emails to the target organizations or individuals. Each of the emails contain a URL to a ZIP with a malicious Visual Basic Script (VBS) file, which contains code that can be executed within Windows.

Once a machine is infected, Qbot activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server. These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation. Check Point’s researchers have seen examples of targeted, hijacked email threads with subjects related to Covid-19, tax payment reminders, and job recruitments.

Yaniv Balmas, Head of Cyber Research at Check Point said: “Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat. The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet’s to spread the threat even further. We hope that our observations and research into Qbot will help put an end to the threat. For now, I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt – even when the email appears to come from a trusted source.”

The United States has been the number one target of Qbot attacks, making up nearly 29% of all attacks detected. India, Israel and Italy closely followed, each making up 7% of all attacks respectively. The attacks target organizations and individuals alike, with the aim of harvesting as much sensitive data as possible.

To help organizations and individuals protect themselves against these types of phishing attacks, Check Point recommends the following:
1. Incorporate email security. Email is by far the number one vector for attackers to infiltrate networks and PCs, and steal data. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
2. Be suspicious. Be wary of emails that contain unknown attachments or unusual requests, even if they appear to originate from trusted sources. It’s always better to check the email is legitimate before clicking a link or an attachment.
3. Add verification. When dealing with bank transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
4. Notify business partners. If an email breach has been detected in your organization, make sure to notify all your business partners as well – any delay in notification only works for the benefit of the attacker.