Qbot (a banking trojan that steals bank account credentials and financial information). This time, it's mainly targeting the military, government, and manufacturing sectors.
According to a report released by Check Point Research — This current wave of Qbot phishing activities seems to have dovetailed with the return of Emotet (it's another email-based malware built for botnet-driven spam campaigns and ransomware attacks).
"These days Qbot is much more dangerous than it was previously — it has an active malspam campaign which infects organizations, and it manages to use a 'third-party' infection infrastructure like Emotet's to spread the threat even further." Check Point Research.
Since its first appearance (2008), Qbot, which is also known as QakBot, Pinkslipbott, or QuakBot, has evolved swiftly and to a great extent, from a mere information stealer to capable of delivering various sorts of attacks, be it obtaining remote access to victim’s windows system to do bank transactions or Prolock ransomware.
"Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat. The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet's to spread the threat even further.". — Yaniv Balmas (Check Point Research).
The attack gets carried out via email sending an attached Zip file or Zip file link containing malicious Visual Basic Script (VBS). It lures the victim under the disguise of COVID - 19 updates, tax payment reminders, hiring notifications, and so on. Once the victim downloads the zip file, the attacker gets control of the system.
The malicious email (contains a link to the zip file). The zip file contains a VBS downloader that runs the initial payload, then it decrypts and runs "explorer.exe" inside which leads to Main Payload (Encrypted Resource) that later proceeds to the Hardcoded Bost list routed by C&C communication, that advances to Tier2 Proxy and finally reaches "C&C Serves".
As per the report, India has encountered 7% of the overall attack; whereas, the USA experienced 29% and the UK faced 4% of the attack. Even a small country like Taiwan experienced 5% of the attack. On the contrary, no such Qbot attack has been documented in China. It’s a strange data in itself.
If you wish to become a malware analyst in an antivirus company, look into our course https://www.isoeh.com/reverse-engineering-malware-analysis.html.