QBot Trojan Attacks Victims with Malicious Election Attachments

The QBot malware, also known as Qakbot and Pinkslipbot, is a banking trojan that has been in use since 2008. Attackers use QBot malware with updated worm features to steal keystrokes from users, set backdoors and distribute malware to compromised devices.

Researchers said the latest version of QBot includes detection and search solutions that hide malicious code and confuse scanners and anti-malware.

When election night in the United States came to an end and the results were uncertain, even threatening actors decided to infiltrate. A new spam campaign was observed, spreading malicious attachments that exploited doubts about the electoral process.

QBot Trojans also come back with phishing emails about the U.S. elections and lure victims with malicious attachments that disrupt the elections.

Ephemeral e-mail flows that move False DocuSignDocuments

Malicious messages come in the form of threads, such as what Emotet (a Trojan horse that spreads mainly through spam) does to ensure legitimacy and make detection more difficult.

They contain zip attachments with the corresponding name of ElectoralInterference_[8-9 digits](.)zip attachments (as shown in the figure below).

http://server.digimetriq.com/wp-content/uploads/2020/11/QBot-Trojan-Attacks-Victims-with-Malicious-Election-Attachments.jpg Fishing e-mail

While the results of the elections are still being evaluated and discussed, the victims tend to open a document to investigate allegations of electoral interference.

The extracted file is an Excel spreadsheet (as shown below) disguised as a secure DocuSign file and may contain information related to an election intervention. When potential victims open documents as bait, the macros ask them to excuse the document.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604598133_70_QBot-Trojan-Attacks-Victims-with-Malicious-Election-Attachments.png Malicious application

This proven track makes it possible to download a malicious upload to the victim’s computer. The URL of this broadcast is encoded as shown in the figure below.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604598133_573_QBot-Trojan-Attacks-Victims-with-Malicious-Election-Attachments.png Obfuscation of Payload URL

After executing the command, the QBot Trojan contacts its command and control server and asks for instructions. In addition to stealing and filtering the data of its victims, QBot will also start intercepting emails that will then be used in subsequent spam campaigns.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604598133_524_QBot-Trojan-Attacks-Victims-with-Malicious-Election-Attachments.png Qbot Process flow

Aggressive malware used in targeted campaigns

In addition to phishing campaigns, cybercriminals often use exploit kits to get rid of QBot loads, and the bot then infects other devices on the victim’s network using network sharing and highly aggressive brute force attacks targeting Active Directory administrators’ accounts.

The QB-Bank Trojan has mainly been used in targeted attacks on corporate structures that offer a better return on investment.

Global events such as the Covid pandemic or the American elections provide the ideal material for creating effective systems that lead to high infection rates.

You can follow us on Linkedin, Twitter, Facebook to get daily news about cybersecurity and hackers.

Read Also:14 Best Document Management Software of 2020

JhoneRAT – Hackers launch a new cloud-based Python RAT to steal data from Google Drive, Twitter, and Google Forms.

Hackers who host malware on Google’s websites to steal data and exchange it with a remote server.