As if it wasn’t threatening enough, Qbot has now been spotted using a new template for the distribution of their malware that uses Windows Defender Antivirus as the phishing lure to trick victims into installing Excel macros.
Qbot or QakBot or even QuakBot, was first spotted in 2008, but since then it has evolved from a “simple” info stealer to a “do it all – steal it all” trojan, adept in delivering other kinds of malware, including some new strains of ransomware.
Qbot has been know to piggyback on other malware (mostly Emotet) infections or, as with this case, via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.
As you can see in the example below provided by Brad Duncan, it’s nothing earth shattering, but still well crafted…
Attached to these spam emails are malicious Excel (.xls) attachments.
When opened, as per usual, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Qbot malware on a victim’s computer.
To trick a user into clicking the ‘Enable Content button, and thus enabling macros, threat actors use stylized document templates that pretend to be from a trustworthy organization or from your operating system.
On August 25th, the Qbot switched to a new template that pretends to be an alert from Windows Defender Antivirus, claiming that the document is encrypted.
This obviously for somebody who works in IT or Cyber Security looks fake as… but to somebody who’s not as adept or alert might just be enough to work.
To decrypt the document, users need to click on ‘Enable Editing’ or ‘Enable Content’ to decrypt it using the ‘Microsoft Office Decryption Core.’
Once enable content is clicked, malicious macros will be executed that download and install the Emotet malware on a victim’s computer.
This because Qbot is still closely linked with Emotet.
And as with Emotet, as we have seen, Qbot also leverages phishing attacks inserted with archived email threads between the two parties to lend an air of credibility.
When infected, Qbot performs various malicious activities that allow threat actors to gain access to your bank accounts and your network.
Once they gain access to a network, they install ransomware like Prolock throughout the system.