Qbot Malware’s Back, and Latest Strain Relies on Visual Basic Script to Slip into Target Machines (Feb 28, 2019)
A new variant of the credential-stealing malware, “Qbot,” has been observed in the wild, according to Varonis researchers. This version appears to still have “the anti-analysis polymorphism features of the original” that dates back approximately 10 years. Threat actors are using this new variant to target organizations primarily located in the US, but other infections have been observed throughout Europe and South America. The objective of these campaigns is to steal financial data and Personally Identifiable Information (PII). Qbot is being distributed via phishing emails that contain an attachment that utilizes a malicious macro to begin the infection process.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.