With the help of a new wave of attacks with infected PDFs, the banking Trojan Qbot wants to spread further. Companies in particular often get the infected files delivered to their mailbox. The phishing campaign also spreads via German-language malicious files.
Kaspersky experts detected a new wave of Qbot malware activity earlier this month. It targets business users and is distributed via malicious spam email campaign. The cybercriminals use advanced social engineering techniques for their project: they intercept existing e-mail correspondence and forward malicious PDF attachments within the conversation. So far, Kaspersky solutions have detected more than 5.000 such emails with PDF attachments in different countries, including Germany.
Qbot – particularly dangerous banking Trojan
Qbot is a notorious banking Trojan that works as part of a botnet and can steal data such as passwords and business email correspondence. It also allows threat actors to take control of an infected system and install ransomware or other trojans on devices on the network. The malware is distributed using a variety of methods, including as a malicious PDF attachment in emails, which has not been common in this campaign so far.
Since the beginning of April this year, there has been increased activity in a spam email campaign using this particular scheme with PDF attachments. The current wave of attacks began on the evening of April 4: since then, Kaspersky experts have detected more than 5.000 spam emails containing PDF files in English, German, Italian, and French that proliferate this malware.
Stolen email correspondence from companies
The banking Trojan is distributed via a potential victim's genuine business correspondence, previously stolen by the cyber criminals. To do this, an e-mail is forwarded to all participants in the existing thread, in which they are usually asked to open the malicious PDF attachment, giving a plausible reason. The attackers ask, for example, to forward all the documents contained in the attachment or to calculate the agreed order amount based on the costs estimated in the attachment. When the PDF is opened, a malicious archive is downloaded to the victim's computer from a remote server.
“The core functionality of the Qbot malware has not changed in the past two years; we advise companies to remain vigilant as the malware is very dangerous,” comments Darya Ivanova, Malware Analyst at Kaspersky. “Cyber criminals are constantly evolving their techniques and incorporating additional more compelling social engineering elements. This increases the likelihood that an employee will fall for your scam. To protect yourself against this, warning signals such as the spelling of the e-mail address of the sender, strange attachments or grammatical errors should be carefully checked. Above all, the use of special cybersecurity solutions can ensure the security of business emails.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/