IOTW: Malware Mainstay QBot Targets Election Insecurities With New Phishing CampaignAdd bookmark
The 2020 U.S. election is over—sort of—and with it, the fear of a massive hacking campaign. However, QBot, a malware mainstay, has found itself a new opportunity among all the chaos.
While malware trends come and go, QBot has been an ever-evolving cyber security threat for the past decade. QBot also goes by Qakbot and Pinkslipbo. In the beginning, it targeted banks with Trojan attacks. Trojan attacks are a type of malware that enters a computer or network by disguising itself as something the user is interested enough in to click on.
These days, it has evolved into a multipurpose cybercrime tool used to distribute ransomware, steal emails for credentials for future phishing campaigns or data dumps, and hijack email threads to continue the spread of its malicious software. It also uses third party malicious software like Mimikatz; a password harvester, and Emotet; an advanced Trojan. It is most commonly used during times of chaos, confusion. It preys on stress.
In the case of Covid-19, QBot made a resurgence as employees and citizens were receiving massive amounts of Covid-19 related email from their banks, employers, children’s schools, and so on.
Recently, it is using the widespread and unfounded fear of election interference to target victims. According to the threat intelligence team at Malware Bytes Labs, QBot is reaching email inboxes through hacked email threads in the form of email replies. The reply contains a .zip attachment titled ElectionInterference.zip. Since the underlying theme of the hack is already tense and the email chain already active, click rates are much higher than with, say, a simple spray-and-pray attack.
Once opened, the Excel spreadsheet disguises itself as a secure DocuSign document that requires macros permissions to decrypt the spreadsheet. This strategy is as old as QBot itself, but it still works. Once clicked, malicious software is downloaded onto the user’s computer. It is then that QBot can steal PII data and infiltrate email for the next wave of the scam.
Cyber crime software is becoming streamlined and automated as cyber crime campaigns succeed and funding increases. This enables increasingly nuanced and psychological cyber crime campaigns.
Social engineering is the act of manipulating people into falling for cyber crime schemes. Hackers are evolving their techniques to target the panic du jour. Science tells us that a heightened state of anxiety weakens our cognitive functions. The more acute the emotion, the more likely a person is to let down their guard and fall for targeted phishing campaigns. During these trying times, it is important to be extra vigilant. Because trusted sources can be compromised or faked, any links or downloads should be considered suspicious until verified otherwise.
Additionally, many telecommuters are now using home devices for work and work devices for recreational activities and/or work email for home and vice-versa. This means that enterprises must also be aware of social engineering campaigns. Even if they are directed at an individual, enterprise security may also be at risk.
On August 25, 2020, the Cybersecurity & Infrastructure Security Agency updated its 2009 tips on avoiding social engineering and phishing attacks. Related and summarized tips include:
- Skepticism over any clickable email link or download, especially if it is from an unknown entity. (In the case of QBot schemes, even known entities may have been compromised.)
- Do not send sensitive information over the web without first checking the website’s security. Check for the https URL and the locked padlock icon to ensure encryption.
- Take advantage of email filters, anti-virus software, and firewalls. Make sure to update them regularly and install any patches immediately.
- If you believe you may have been compromised, change passwords immediately. Watch for signs of identity theft by monitoring your credit report and paying attention to changing patterns in your email inbox. Notify your employer if the compromise was work related, on a work machine, or from a work email.
Read More: Incident Of The Week