The notorious and heavily distributed email-borne malware Qakbot is now being spread via a new technique: inserting malicious replies into the middle of existing email conversations.
According to cybersecurity firm Sophos, Qakbot uses the compromised accounts of other infected victims to interject itself in the form of a reply-all message that includes a short sentence and a link to download a zip file that contains a malicious office document.
In a new report outlining this threat, Sophos says the malware has become adept at this trickery, which includes quoting the original message after its malicious reply. That makes it challenging for targets of these attacks to recognize that the message didn’t come from the actual user.
Due to recent action by law enforcement and tech companies, including leaks of internal cybercriminal data, other email-driven botnets like Emotet and Trickbot have seen setbacks, leading to a “resurgence’ of Qakbot.
These messages usually contain brief a short sentence followed by a link to download a zip archive, which may be bare URLs or hotlinked text in the message body.
Some examples of messages given by Sophos include:
Hello,
Sorry for my late reply to your question. Attached is the document you need.
DOCUMENT DOWNLOAD LINK.
And:
Good morning,
Please read this ASAP.
DOCUMENT DOWNLOAD LINK.
In other cases, the messages are sent in the assumed language of the recipient.
In these incidents, the Qakbot malware delivered at least three different payloads including a web injector for stealing account credentials and an ARP-scanning component that attempted o profile the network on which it was running. It can also continue to communicate with its command-and-control server and receive payload updates months after infection.
According to Sophos, the malware and the command-and-control messaging is elaborately obfuscated and encrypted, concealing sensitive strings, configuration data and C2 addresses.
As with any email-based threat that relies on user action, education and awareness is the key to prevent Qakbot infection. Users should treat email with a “reflexive distrust,” according to the company.
Samples related to this malware may be detected as Mal/EncPk-AQC and some payloads (notably, the webinjects code) will be detected as Mal/QbotDat-A, according to Sophos.
For more information on this threat, read Sophos’ report.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply