Qbot uses a new email collector module in the latest campaign

Pierluigi Paganini August 31, 2020

QBot Trojan operators are using new tactics in their campaign to hijack legitimate email conversations to steal sensitive data from the victims.

Researchers from Check Point are warning of a new trend observed in QBot Trojan campaign targeting Microsoft Outlook users,

QBot Trojan operators are using new tactics to hijack legitimate email conversations and steal personal and financial data from the victims.

Threat actors are employing a new module specifically designed to collect and compromise email threads on infected systems. 

QBot, aka Qakbot and Pinkslipbot, has been active since 2008, it is used by malware for collecting browsing data and banking credentials and other financial information from the victims.

According to the experts, the QBot Trojan has infected over 100,000 systems across the world.

Its modular structure allows operators to implement new features to extend its capabilities.

Researchers from CheckPoint observed a new variant of QBot being spread in several campaigns between March and August as the result of Emotet infections. The researchers estimate that one of these campaigns that took place in July impacted roughly 5% of organizations worldwide. Most of the infections were observed in organizations in the US and Europe, the most targeted industries were in the government, military, and manufacturing sectors. 

“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server.” reads the analysis published by CheckPoint. “These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.”

The spam messages contain URLs to .ZIP files that serve VBS content designed to download the payload from one of six hardcoded encrypted URLs. 

Upon infecting a system, a new module in the latest QBot variant implements an email collector that extracts all email threads contained within an Outlook client and uploads them to the attacker’s C2 server.  

The attackers could hijack the email threads to propagate the malware.

QBot infection chain

Check Point’s experts have analyzed examples of targeted, hijacked email threads with subjects related to Covid-19, tax payment reminders, and job recruitment content.

The researchers documented multiple QBots’ module inlucing:

  • Executable Update – Updates the current executable with a newer version or newer bot list.
  • Email Collector Module – Extracts all e-mail threads from the victim’s Outlook client by using MAPI32.dll API, and uploads it to a hardcoded remote server.
  • Hooking Module – The module injects itself to all running processes, and hooks relevant API functions.
  • Web-Inject File – The file provides the injector module with a list of websites and JavaScript code that will be injected if the victim visits any of these websites.
  • Password Grabber Module – a large module that downloads Mimikatz and tries to harvest passwords.
  • hVNC Plugin – Allows controlling the victim machine through a remote VNC connection, for example to perform bank transactions on his behalf.
  • JS Updater Loader – Decrypts and writes a Javascript updater script. 
  • Cookie Grabber Module – targets popular browsers: IE, Edge, Chrome, and Firefox.

“These days Qbot is much more dangerous than it was previously — it has active malspam campaigns which infects organizations, and it manages to use a third-party infection infrastructure like Emotet’s to spread the threat even further,” the researchers conclude. “It seems like the threat group behind Qbot is evolving its techniques through the years”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Qbot)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment