New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method to disseminate malware. This latest campaign began on April 4, 2023, and has notably focused its efforts on targeted users across several countries, including Germany, Argentina, Italy, Algeria, Spain, the United States, Russia, France, the United Kingdom, and Morocco.

QBot, sometimes referred to as Qakbot or Pinkslipbot, has been operational since at least 2007, and its primary function is to extract sensitive information such as passwords and cookies from victims’ web browsers. Furthermore, QBot serves as a backdoor that allows for the deployment of subsequent payloads, including advanced tools like Cobalt Strike and various ransomware variants.

The malware continues to evolve, with recent updates incorporating sophisticated techniques designed to evade detection mechanisms. Specifically, it employs anti-VM, anti-debugging, and anti-sandbox methodologies to complicate analysis and hinder counteract measures by security professionals. Kaspersky notes that QBot has also been recognized as one of the most prevalent forms of malware in March 2023, according to Check Point’s findings.

Phishing campaigns remain the primary vector for distributing QBot. This approach leverages the trust inherent in business communication to lure unsuspecting victims into executing malicious payloads unknowingly. The success of these campaigns can be attributed to the perceived legitimacy of the emails, which often appear as routine business communications.

In terms of adversary tactics and techniques, the initial access for this campaign likely stems from targeted phishing efforts intended to entice users into downloading malware-laden attachments or clicking on malicious links. The deployment of QBot takes advantage of various vulnerabilities to ensure persistence on infected systems and may use privilege escalation techniques to gain further access to sensitive data.

The breadth of QBot’s target demographic highlights a significant concern for business owners, particularly in sectors reliant on effective digital communication. Recognizing such threats underscores the importance of implementing robust cybersecurity measures, including employee training on recognizing phishing attempts and maintaining updated security protocols.

As the landscape of cyber threats continues to evolve, it is imperative for enterprises to remain vigilant against innovations in malicious tactics and to adapt their defenses accordingly. Understanding frameworks such as the MITRE ATT&CK Matrix can provide valuable context on potential attack methods and help organizations prepare for and mitigate risks associated with sophisticated malware attacks like QBot.

Source link

Related Posts

Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation

April 14, 2023
Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Infrastructure

April 19, 2023
Cyber Threat / SCADA

A subgroup of Iranian state-backed hackers, identified as Mint Sandstorm, has been implicated in a series of attacks against critical U.S. infrastructure from late 2021 to mid-2022. According to Microsoft’s Threat Intelligence team, this group demonstrates a high level of technical expertise, with the ability to create custom tools and rapidly exploit known vulnerabilities. Their operational focus aligns closely with Iran’s national interests, targeting seaports, energy firms, transit systems, and a major U.S. utility and gas company. These cyber activities are believed to be retaliatory, stemming from prior attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has alleged that these earlier attacks were orchestrated by Israel and the U.S. to incite domestic unrest.

U.S. and U.K. Alert on Russian Hackers Utilizing Cisco Router Vulnerabilities for Espionage

April 19, 2023
Network Security / Cyber Espionage

Cybersecurity and intelligence agencies from the U.S. and U.K. have issued a warning about Russian state-sponsored actors exploiting recently patched vulnerabilities in Cisco networking equipment for reconnaissance and malware deployment against specific targets. These intrusions occurred in 2021 and affected a limited number of entities across Europe, U.S. government agencies, and around 250 Ukrainian victims. The activity has been linked to the threat group APT28, also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, which is connected to the Russian General Staff Main Intelligence Directorate (GRU). The National Cyber Security Centre (NCSC) noted that APT28 gained access to vulnerable routers using default and weak SNMP community strings, as well as by exploiting CVE-2017-6742, a remote code execution vulnerability with a CVSS score of 8.8.