- Aug 17, 2014
QBot Trojan operators are using new tactics to hijack legitimate, emailed conversations in order to steal credentials and financial data.
On Thursday, cybersecurity researchers from Check Point published research on the new trend, in which Microsoft Outlook users are susceptible to a module designed to collect and compromise email threads on infected machines.
A new variant of QBot, detected in several campaigns between March and August this year, is being deployed as a malicious payload by operators of the Emotet Trojan. The researchers estimate that one particularly extensive campaign in July impacted roughly 5% of organizations worldwide.
The malware lands on a vulnerable machine via phishing documents containing URLs to .ZIP files that serve VBS content, calling the payload from one of six hardcoded encrypted URLs.
Once a PC has been infected, a new and interesting module in the modern QBot variant described by Check Point as an "email collector module" extracts all email threads contained within an Outlook client and uploads them to the attacker's command-and-control (C2) server.