A particularly persistent strain of malware has once again reared its ugly head, and this time it's got a new bag of tricks, reports Israeli security firm Check Point.
Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan around 2008. But in the malware world, successful malware doesn't die — it evolves.
- Isn't this ironic: Top cybersecurity firm falls prey to phishing attack
- The best identity-theft protection software to keep your personal data safe
- Just in: Nearly 28,000 printers 'hacked' over the internet: What to do
Check Point (opens in new tab) says Qbot has now partnered up with Emotet, a younger but similarly notorious bug, to send phishing emails, steal passwords and credit-card numbers, install ransomware and even insert fake emails into ongoing email conversations. (Here's a deeper dive into how it sneaks into email threads.)
"The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals," said Yaniv Balmas, Check Point's head of cyber research, in a press statement.
"For now, I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt — even when the email appears to come from a trusted source," Balmas added.
Another way to avoid infection by Qbot is to run the best antivirus software. Not only will good antivirus scanners spot and stop the malware, but some strains of Qbot check for the presence of antivirus software (opens in new tab) on a computer and stop their activity if it's detected.
A malware Swiss Army knife
To be fair, this isn't the first time Qbot has snuck phishing emails into ongoing threads, or even come packaged as an Emotet payload. Our friends at Bleeping Computer (opens in new tab) reported on Qbot doing both back in April 2019, based on a security-firm report that no longer seems to be available online.
Then as now, the infection comes in the form of a spear-phishing email tailored to the recipient. In the body of the email is a link to a document the recipient "needs" to see, purporting to be a resume, business document, tax form or, in the most recent campaigns, information about COVID-19.
If you click on that link, you'll download a .ZIP file that, if you're running Windows, will launch a Visual Basic script to download yet more malware. That malware will in turn check to see if you're running Microsoft Outlook. If so, it will upload many of your email threads to criminal servers so that they can be hijacked with yet more phishing emails.
The malware can also hijack your online banking sessions even when you're logged in, Check Point said. The firm estimates that about 100,000 machines have been infected since March, with the largest number of infections occurring in the United States.
Other strains of Qbot have been spotted hiding in booby-trapped Word documents (opens in new tab), corrupting WordPress blogs to infect readers, embedding themselves in the Windows Registry (opens in new tab) so that they run upon system startup, hijacking Windows' own file-manager application (opens in new tab) and locking users out of their accounts (opens in new tab).
Some variants even change their code three or four times a day (opens in new tab) to avoid being easily detected by antivirus software. For these reasons, the Check Point report says, Qbot "has become the malware equivalent of a Swiss Army knife."