A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team.
Qbot (also known as QakBot and Pinkslipbot) is a quite old yet still active and continuously evolving banking Trojan with worm capabilities, used by malicious actors since at least 2009 [1, 2, 3, 4] to steal financial data and banking credentials from their targets, to drop additional malware, to log user keystrokes, and create a backdoor to compromised machines.
As detailed by the JASK SpecOps security researchers, "The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly enough, the delivery email was actually a reply to a pre-existing email thread."
The phishing email uses a hyperlink to a VBScript-based dropper script packed as a ZIP archive and designed to drop the Qbot malware payload after being launched by the victim.