A continually evolving strain of malware has developed yet another trick: It injects itself into ongoing email threads, hoping that someone on the thread will open an a malicious document that infects their PC.
Qakbot, otherwise known as Qbot or Pinkslipbot, started out as a banking Trojan way back in 2007 but has since morphed into stealing information (including passwords and credit-card numbers), installing ransomware and backdoors and mapping out company networks. It can arrive in poisoned Microsoft Office files or via infected web pages.
Qakbot's most potent new weapon, according to a Sophos report (opens in new tab) posted today (March 10), is to hijack email accounts, then check for ongoing email threads that the email account has been receiving, and finally to add reply messages to those threads containing links to infected Office files.
"Its abuse of email threads make it particularly dangerous," wrote Sophos' Andrew Brandt and Steeve Gaudreault. "Mail recipients may not realize that the Qakbot-spreading email messages are not just part of an ongoing conversation between multiple parties."
Dancing about malware
The post related how back in October 2021, a thread that Brandt had been receiving about experimental dance music suddenly contained messages from other thread members that seemed oddly tailored to business language — along with a link to download a file.
"Good day. If it will not cause any inconvenience, please reply to the last paperwork I sent," read one message that didn't seem to be about dance music. "In case the message might not arrived, please do it right now."
This was accompanied by a web address containing a ZIP file, a compressed archive. Other messages contained even briefer text, such as "Attached is the document you need" or "Please read this ASAP," along with links to ZIP files online.
Those ZIP files unpack to create Word or Excel files that infect your machine with malware once you bypass Microsoft's protections against internet-borne documents by clicking the "Enable Editing" or "Enable Content" buttons. (Microsoft is slowly making this type of infection process harder to pull off.)
"The malware delivered at least three different payloads, including a web injector for stealing login credentials and an ARP-scanning component that attempted to profile the network on which it was running," Brandt and Gaudreault wrote.
They added that the malware also wrote to the Windows Registry and tried to send out spam from the test machine — and was still working just fine in March.
"The same initial malware I infected a testbed with in October remains functional and capable of reaching its command-and-control server," Brandt wrote. "It still gets payload updates, even five months later."
One of those payloads included instructions on how to steal user credentials for a couple of dozen American banking and financial websites, including Bank of America, Citibank, Wells Fargo, TD Ameritrade and Schwab, plus PayPal and Microsoft.
How to protect yourself from Qakbot email injections
Needless to say, this isn't something you'd expect when perusing an email thread about experimental dance music, or whatever cultural activity strikes your fancy.
To avoid infection by malware that arrives as part of an email thread, the first rule is to not download random Office files from the internet — even if they seem to come from someone you know or work with.
Second, if you do download and open the files, do NOT turn off Microsoft's built-in protections. If the file says you need to "Enable Content" or "Enable Editing" to view the file, it's probably malicious.
Third, install and use some of the best antivirus software. You've already got a pretty good one with the built-in Microsoft Defender Antivirus, but third-party antivirus will do a better job of blocking known malicious websites and catching malware before it "unpacks."
You can also use antivirus software to scan all downloaded files before you open them. Just browse to the file in the Windows Explorer file manager and right-click it to bring up a menu that includes an option to scan the file.