A new malicious QBot campaign was recently discovered spreading on Windows devices through PDF and Windows Script Files. The former banking Trojan is notorious for facilitating initial access to compromised networks for threat actors.
Perpetrators are historically known to use QBot to deploy additional malware, such as Cobalt Strike beacons and backdoors, to move laterally on compromised networks.
Last year, researchers discovered a QBot operation spreading malware through Windows Installer Packages. The recent campaign, however, has shifted towards a hybrid approach, combining PDF attachments and Windows Script Files (WSF) to the same effect.
According to cybersecurity expert ProxyLife and the Cryptolaemus group, which unearthed QBot’s novel campaign, the malware still piggybacks on phishing emails to spread. Additionally, perpetrators now leverage rogue PDF documents with embedded malicious links that, when accessed, attempt to download a ZIP-compressed WSF to the user’s device.
This campaign requires heavy user interaction to infect a device: the victim must download the PDF attachment from the email, open it, click the obnoxious “Open” button it displays, extract the WSF from the newly downloaded ZIP file, then execute it. Despite the lengthy chain of events leading to the actual point of compromise, the human factor makes QBot infections still highly probable.
Once the script is executed, it attempts to fetch a QBot DLL from a list of URLs, trying each until the download succeeds. The malicious DLL gets automatically placed in the device’s %TEMP%
folder, checks whether the device is connected to the Internet, injects itself into a legitimate Windows process (Windows Error Manager / wmgr.exe
), then keeps running stealthily in the background.
ProxyLife published a list of Indicators of Compromise (IoCs) to help users determine whether the new QBot malicious campaign has infected them. Users with compromised devices are advised to take them offline as soon as possible, considering QBot can quickly spread to adjacent workstations once it establishes a point of compromise on the network.
Specialized software such as Bitdefender Ultimate Security can protect you against QBot and other strains of malware with its extensive library of features, including:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024