Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

Qbot Banking Trojan Now Hijacks Outlook Email Threads

Check Point Research: Message Content Used to Personalize Phishing Emails
Qbot Banking Trojan Now Hijacks Outlook Email Threads
Example of a job-themed phishing email used to spread the Qbot Trojan (Source: Check Point Research)

The operators behind the Qbot banking Trojan are deploying a new version of the malware that uses hijacked Microsoft Outlook email threads to create and send personalized phishing emails, according to a Check Point Research report released Thursday.

See Also: Understanding Human Behavior to Tackle ATO & Fraud

This campaign, which appears to have started in March and is ongoing, has targeted over 100,000 victims worldwide, including in the U.S., India, Italy and Israel, according to the report.

In addition to stealing banking data and passwords, Qbot can now swipe credit card information as well as install other malware within infected devices or networks, such as ransomware, Check Point reports.

Qbot, also known as Qakbot, first surfaced in 2008. The researchers note the Trojan is now being delivered to compromised devices using the Emotet botnet, which resurfaced in July with a new malicious spam campaign (see: Update: Emotet Botnet Delivering Qbot Banking Trojan).

"Emotet has a very strong infrastructure and efficient malspam infection," Alex Ilgayev, a malware researcher at Check Point, tells Information Security Media Group. "At first, we thought QBot had replaced its malspam infection with Emotet's, but then we noticed even more malspam from QBot. This shows how dangerous and efficient QBot is becoming these days."

Qbot’s new capabilities allow the malware to target a wider range of victims, Ilgayev says. "Our data shows that a large numbers of organization from the military and government sectors were attacked."

New Tactics

In the new campaign that Check Point researchers discovered, the attack begins when socially engineered phishing emails are delivered to Outlook users' inboxes. These emails contain a URL or a Zip file with malicious Visual Basic Script. When this is executed, the Qbot malware is downloaded from a hardcoded URL to the compromised device.

The malware then activates what the researchers call an "email collector module," which extracts all the email threads from the victim's Outlook client.

"These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation," according to the Check Point report.

The malspam campaigns mainly deal with subjects related to COVID-19, tax payment reminders and job recruitment, the researchers add.

Once the latest version of Qbot is installed, the Trojan can perform a number of functions, including:

  • Stealing device information, passwords, emails and credit card details;
  • Acting as a dropper to help install other malware, including ransomware, within an infected device;
  • Connecting to the victim's device to conduct banking transactions.

Other Attacks

In June, researchers at F5 Labs uncovered a Qbot campaign that targeted customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo (see: Researchers: Qbot Banking Trojan Making a Comeback).

In 2014, researchers at Proofpoint found that 800,000 banking credentials of victims who mainly were customers of the five largest U.S. financial services firms were stolen using Qbot (see: Hackers Grab 800,000 Banking Credentials).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.