Qbot Malware Dropped via Context-Aware Phishing Campaign

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,005
A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team.

Qbot (also known as QakBot and Pinkslipbot) is a quite old yet still active and continuously evolving banking Trojan with worm capabilities, used by malicious actors since at least 2009 [1, 2, 3, 4] to steal financial data and banking credentials from their targets, to drop additional malware, to log user keystrokes, and create a backdoor to compromised machines.

As detailed by the JASK SpecOps security researchers, "The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly enough, the delivery email was actually a reply to a pre-existing email thread."

The phishing email uses a hyperlink to a VBScript-based dropper script packed as a ZIP archive and designed to drop the Qbot malware payload after being launched by the victim.

Phishing e-mail

Phishing e-mail
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top