New QBot email attacks use PDF and WSF combo to install malware


Level 37
Thread author
Top Poster
Feb 4, 2016
QBot malware is now distributed in phishing campaigns utilizing PDFs and Windows Script Files (WSF) to infect Windows devices.

Qbot (aka QakBot) is a former banking trojan that evolved into malware that provides initial access to corporate networks for other threat actors. This initial access is done by dropping additional payloads, such as Cobalt Strike, Brute Ratel, and other malware that allows other threat actors to access the compromised device.

Using this access, the threat actors spread laterally through a network, stealing data and eventually deploying ransomware in extortion attacks.

Starting this month, security researcher ProxyLife and the Cryptolaemus group have been chronicling Qbot's use of a new email distribution method — PDF attachments that download Windows Script Files to install Qbot on victim's devices.

It starts with an email​

QBot is currently being distributed through reply-chain phishing emails, when threat actors use stolen email exchanges and then reply to them with links to malware or malicious attachments.

The use of reply-chain emails is an attempt to make a phishing email less suspicious as its a reply to an ongoing conversation.
The phishing emails use a variety of languages, marking this as a worldwide malware distribution campaign.

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top Poster
Dec 23, 2014
Like many similar attacks, it uses LOLBins to download malicious content. This can be prevented by blocking popular LOLBins from accessing the Internet.
Such prevention can be very efficient in the home environment and in most cases, it does not have any impact on the users' daily work.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.