A malicious campaign targeting organisations with the Qbot malware has reared its ugly head again.
Researchers from Kaspersky have detected a new wave of activity targeting users all around the world, with corporate users from the META region making up 20% of all users affected globally.
Qbot is an infamous banking Trojan, that is able to steal users’ data and emails from infected corporate networks, spreading further in the network, and installing ransomware or other Trojans on other devices therein.
Intercepting conversations
Bad actors allegedly intercept active business email conversations and send the recipients a message containing a link with an archived file with a password to download, which leads to the banking trojan being downloaded.
To trick users into opening or download the file, the malefactors usually claim it contains important information, such as a commercial offer. These schemes make these messages harder to detect and increase the risk of the recipient falling for the scam.
Kaspersky has detected more than 400 infected sites spreading Qbot so far.
Mimicking work correspondence
Victoria Vlasova, a senior security researcher at Kaspersky, says mimicking work correspondence is an old trick used by attackers. However, this campaign is more complicated as they employ an existing and previously stolen conversation to send a deceptive message that appears to be a continuation of the correspondence.
“This method increases the chances of the recipient opening the files. Therefore, we advocate that employees should be especially careful now when communicating in business correspondence so as not to accidentally open a malicious file with Qbot,” she ends.
Share