Light Dark
April 28, 2021 By David Bisson 2 min read
News

Attackers are using fake Windows Defender Antivirus emails to distribute QBot malware.

The QBot Attack Campaign

In late August 2020, Bleeping Computer revealed that QBot had begun using a new template in its email attacks.

This template also used stolen branding. It displayed a fake security warning from Windows Defender Antivirus within a Microsoft Word document. The fake alert also copied logos stolen from three other real firms.

According to the template, the sender supposedly encrypted the Word document with ‘corporative firewall.’

It then instructed the user to decrypt the document’s contents by clicking ‘Enable Content’ and enabling macros.

Compliance with that request caused the document’s malicious macros to execute and to install Emotet malware on the victim’s computer.

What Is Emotet?

Emotet is a complex trojan that commonly operates as a downloader of other malware samples. In the attack described above, Emotet downloaded QBot onto the victim’s computer when installed.

During the summer of 2020, both Malwarebytes and Check Point observed a resurgence of Emotet activity after those responsible for the trojan had seemingly gone quiet for five months.

Emotet’s handlers didn’t hold back in the months that followed. At the beginning of October 2020, for instance, the U.S. Cybersecurity & Infrastructure Security Agency revealed in an advisory that it had detected 16,000 alerts pertaining to Emotet since July of that year.

The warning arrived just days after Bleeping Computer spotted an attack campaign in which Emotet capitalized on the interest surrounding the 2020 U.S. presidential election by sending out emails that referenced a legitimate Democratic National Convention initiative.

QBot Malware’s Busy Year

QBot also had its fair share of fun last year.

Back in June, for instance, F5 Labs spotted a dedicated campaign in which digital attackers used a browser hijack or redirection to target banks in the United States with the information-stealing trojan.

Things ramped up in August when QBot entered Check Point’s monthly top 10 malware index for the first time at 10th place. That same month, researchers at the security firm revealed that they had witnessed the malware using a new “email collector module” to extract email threads from a victim’s Outlook client and to upload that data to a remote server under its attackers’ control.

By the following month, this new trick had helped QBot to climb to sixth place on Check Point’s malware list.

In November, QBot followed the example of Emotet by wading into the 2020 presidential election. In this case, email attackers used claims of election tampering to trick people into opening corrupted Excel files.

How to Defend Against QBot Malware

The persistence of threats such as QBot and Emotet highlights the need for defenses against email-borne malware. They can do this by regularly testing their employees’ awareness with phishing attacks and by using role-based employee education to instruct the entire workforce about the types of threats that might enter their inboxes.

At the same time, consider developing dedicated incident response plans, processes and teams. These could help reduce the harm of a successful email attack that might be carrying a malware payload. To make sure they’re protected, you should test those processes and plans on a regular basis.

 |  | 
David Bisson
Contributing Editor

More from News
December 19, 2023

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature