G DATA threat report: Qbot replaces Emotet. Cyber attacks on companies are increasing sharply. The latest G DATA threat report shows that cyber criminals have already found a successor for Emotet: Qbot.
The malware was involved in almost every fourth attack that was averted. The figures show that companies were particularly the focus of cyber criminals in the first quarter. Within a year, the number of attacks averted rose by more than 60 percent.
Companies more in sight
G Data Tim Berghoff Security Evangelist (Image: GData)
The current threat report from G DATA CyberDefense shows that companies are more targeted by cyber criminals. While the number of cyberattacks averted against private users has changed only slightly - an increase of 1,9 percent compared to the first quarter of 2020 to the first quarter of 2021 - the number of attacks on companies has increased significantly. The number of attacks averted between January and March of this year was 61,7 percent compared to the same period last year. The numerous attacks on Exchange servers that have caused problems for many companies - and will continue to do so - also fall during this period.
"In the second year of the corona pandemic, companies still have a lot of catching up to do when it comes to securing their IT," says Tim Berghoff, Security Evangelist at G DATA CyberDefense. “Cyber criminals are playing into the hands of the continuing home office situation and are capitalizing on it. IT managers must finally act and say goodbye to the quickly set up, provisional home office structures and create a secure IT infrastructure."
Emotet is dead! - Long live Qbot!
When Emotet was shut down by an internationally coordinated campaign at the end of January, a question quickly arose: Which malware is inheriting the all-purpose cybercrime weapon? The answer is: Qbot. Current figures show that Qbot is involved in 22 percent of all attacks averted. The attackers gradually developed the original banking Trojan on a modular basis, now has additional worm elements and is active as a credential stealer and loader. The criminals are currently taking advantage of existing mail conversations and adding a new message containing a link to a compromised website with a .zip archive. Qbot downloads this .zip and installs the malware on the computer. In addition to health organizations, government agencies, financial institutions and retail companies are currently on Qbot's attack list.
Attacks are becoming more and more professional
G DATA threat report: Qbot replaces Emotet (Image: GData).
In addition to the Emotet successor Qbot, a noticeable number of Remote Access Trojans (RAT) are currently active. More than 30 percent of the averted attacks were carried out with AveMariaRAT or njRAT. RATs enable remote control and administrative control of an external computer unnoticed by the user. For example, attackers can view the victim's desktop, log keystrokes, access the camera, copy login information stored in browsers or upload or download files.
The current RAT campaigns in particular show that the trend is towards increasingly professional cyber attacks. Criminals increasingly work in a division of labor and assemble individual components as malware-as-a-service to form a modular chain of infection. A detailed analysis of a current campaign by the Aggah group shows that the attackers are trying to deactivate protection and detection mechanisms on the infected computer after the user has activated a malicious macro in a phishing email. The initial script looks at which endpoint protection solution is installed on the system and then selects the next script to trick the protection solution. In addition, the attackers also modularize their infrastructure by storing malicious code on the Pastebin text-sharing platform and calling it up from there.
Phishing emails as a weapon of attack
“Right now, companies have to pay more attention to the human factor in IT security. The home office situation and the pandemic put employees under stress and make them more susceptible to attempted attacks. Due to the simultaneity of work and private life, concentration is less for many employees, so that they click on a fake email more quickly. Also because there is no direct exchange with colleagues who could be asked for advice, ”says Tim Berghoff.
More at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.