Email Threads Are Being Used Maliciously in Automated Attacks

Beware: if you’re infected by the QBot Trojan, it’s possible to have your email threads (the chain of back and forth emails in any given email conversation) stolen and used to make an attack look more authentic. How? Let’s break it down in our latest cybersecurity blog.

Operators of the QBot Trojan have developed new processes that allow them to breach emails in successful efforts to steal credentials and other sensitive financial data. Also known as Qakbot and Pinkslipbot, QBot is a prolific form of malware that operates like a Swiss Army knife. It acts not only as a typical information hijacker, but also has the ability to deploy ransomware, in addition to having other dangerous breach capabilities. Since its discovery in 2008, Qbot is estimated to have claimed at least 100,000 victims across countries including the US, India and Israel (source). 

How does it work? 

Essentially, using phishing documents as the transportation agent, Qbot lands malware on vulnerable machines with documents that contain URLs and .ZIP files. It then uses one of six hardcoded encrypted URLs to infect the machine. A report covering March through April of this year showed that malicious payload by operators of Emotet Trojan were successful in breaching an estimated 5% of worldwide organizations.

Microsoft Outlook users are specifically at risk of email threads being infected by these Qbot Trojan machines. Once infected using QBot, the malware extracts Outlook email threads while uploading them to the QBot attackers command-and-control (C2) server. Once an email thread is knowingly breached, attackers will use that successfully breached thread in order to extend the malware further into the infected device or machine. Using common subjects such as COVID-19-related messages, job recruitment notices and tax payment reminders, attackers are able to breach a single employee’s email by building trust through a seemingly normal email message. Email users read infected emails thinking they are real, and oftentimes click on infected attachments which lead to infection of their entire computer. Then the attackers are ‘in’.

Typically, once it’s breached a device, QBot is after specific types of sensitive data which might include (but is not limited to): banking credentials, browsing data, email records, tax payment information, password information, etc. A specific Trojan module actually downloads something called Mimikatz, with the sole purpose of gathering passwords that may be in email threads. 

What else can QBot do? It can inject itself into web browsers of infected machines and from there install malicious ransomware (like ProLock). QBot has also recently evolved to be able to retrieve and install updates and new modules, further infecting and controlling a breached machine, all without the user knowing.

It’s safe to say QBot is very dangerous and is here to stay. 

At PK Tech, we are continuing to stay up to date on the latest QBot evolutions and we are monitoring our client’s networks accordingly while keeping our clients current on the best protection software. If you have questions about QBot, or general questions about how to protect your business network and employees, please reach out to us