New QBot email attacks use PDF and WSF combo to install malware

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/

QBot malware is now distributed in phishing campaigns utilizing PDFs and Windows Script Files (WSF) to infect Windows devices.

Qbot (aka QakBot) is a former banking trojan that evolved into malware that provides initial access to corporate networks for other threat actors. This initial access is done by dropping additional payloads, such as Cobalt Strike, Brute Ratel, and other malware that allows other threat actors to access the compromised device.

Using this access, the threat actors spread laterally through a network, stealing data and eventually deploying ransomware in extortion attacks.

Starting this month, security researcher ProxyLife and the Cryptolaemus group have been chronicling Qbot's use of a new email distribution method — PDF attachments that download Windows Script Files to install Qbot on victim's devices.

It starts with an email​

QBot is currently being distributed through reply-chain phishing emails, when threat actors use stolen email exchanges and then reply to them with links to malware or malicious attachments.

The use of reply-chain emails is an attempt to make a phishing email less suspicious as its a reply to an ongoing conversation.
The phishing emails use a variety of languages, marking this as a worldwide malware distribution campaign.

 

[Andy Ful]

Like many similar attacks, it uses LOLBins to download malicious content. This can be prevented by blocking popular LOLBins from accessing the Internet.
Such prevention can be very efficient in the home environment and in most cases, it does not have any impact on the users' daily work.