Qbot Malware Dropped via Context-Aware Phishing Campaign (Apr 24, 2019)
A phishing campaign has been observed by researchers from JASK that drops the banking trojan, "Qbot." The phishing email purports to be a reply to a pre-existing email thread that also contains a link to an online document. The link takes the user to a VBScript-based dropper that appears as a ZIP archive to get the user to open and unzip the file. If so, the Qbot payload is dropped onto the machine. The malware will brute-force network accounts on the compromised host to move laterally. Qbot steals financial information by hooking API calls/searches for banking strings in the system hooking API calls/searches for banking strings in the system, keylogging, and searching for saved credentials in browser cookies.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favour of a cloud file-hosting service like Box or Dropbox.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.