Qbot botnet sends US election phishing emails to infect victims with malicious payloads designed to steal data users but also email. The stolen data will be used in future malicious campaigns.
Qbot, also known as Qakbot, Pinkslipbot and Quakbot it is one banking trojan with worm features actively used in the threat landscape at least since 2009. Cybercriminals aim to steal financial data and banking credentials, as well as developing backdoors, to infect the victim's device with malware.
The malspam emails recently identified by the team Threat Intelligence by Malwarebytes Labs presented as responses to previously stolen emails threads. This is a tactic used to add legitimacy and attract unsuspecting victims.
Phishing emails contain malicious files Excel presented as a secure DocuSign file that allegedly contained information about US election interference.
After running the Qbot malware and infecting the victims' computers, it contacts the command and control center for further instructions. As reported by Malwarebytes Jérôme Segura and Hossein Jazi, in addition to stealing and removing data from its victims, QBot also steals emails that will be used in future malspam campaigns.
As BleepingComputer points out, in addition to phishing campaigns, hackers often use an exploit kit to infect a system with Qbot payloads, with the bot then infecting other devices on the victims network using network sharing utilities and brute-force attacks targeting its administrator accounts Active Directory.
The Qbot banking trojan has been used mostly in attacks against corporate entities. It is noteworthy that Qbot campaigns are rare. In particular, the researchers identified one in October 2014, one in April 2016 and one in May 2017. The malicious activity of Qbot was strongly observed in 2019, used as malware that was injected in the first or second stage of a gang attack. Emotet, as well as as part of a phishing campaign in 2019 that had as its theme - bait the environment.