New Malicious Campaign QBOT Uses Business Census to Deceive Victims
Cybersecurity experts at the Kaspersky laboratory have reported that a new malicious campaign known as QBOT is currently active. The malware uses a hacking business census to deceive unsuspecting users and install malicious software on their devices. The campaign was first detected on April 4th, and it primarily targeted individuals in Germany, Argentina, Italy, Algeria, Spain, the USA, Russia, France, Great Britain, and Morocco.
QBOT has been active since 2007 as a banking Trojan, and it steals passwords and cookies from web browsers. The malware acts as a backdoor for the introduction of useful payloads of the next stage, such as Cobalt Strike or various carrier programs. The malware continues to be updated and constantly evolves to use methods of protection against virtual machines, debugging, and “sandboxes.” QBOT was the most common malicious program in March 2022, according to analysts at Checkpoint.
Kaspersky researchers explained that QBOT was initially distributed through infected websites and pirate software, but it is now delivered via banner ads on websites, social engineering, and spam. Cybercriminals use phishing campaigns to connect to existing business conversations or initiate new ones based on previously hacked email accounts.
The most recent QBOT campaign involved scammers using a PDF file that was supposedly inaccessible because of the presence of secure files in it. Victims were prompted to click the “Open” button, which led to the download of a ZIP archive from the attackers’ website. The archive contained an outstanding Windows script file with an extension of “.WSF” that was designed to execute the PowerShell script. The PowerShell script then loaded the DLL Bibliotek from the fraudsters’ remote server, which was the QBOT malware.
Infection with malware like QBOT can lead to destructive attacks on corporate networks, and users are being warned to be vigilant when opening suspicious emails or attachments.