A particularly persistent strain of malware has once again reared its ugly head, and this time it's got a new bag of tricks, reports Israeli security firm Check Point.
Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan around 2008. But in the malware world, successful malware doesn't die — it evolves.
- Isn't this ironic: Top cybersecurity firm falls prey to phishing attack
- The best identity-theft protection software to keep your personal data safe
- Just in: Nearly 28,000 printers 'hacked' over the internet: What to do
Check Point says Qbot has now partnered up with Emotet, a younger but similarly notorious bug, to send phishing emails, steal passwords and credit-card numbers, install ransomware and even insert fake emails into ongoing email conversations. (Here's a deeper dive into how it sneaks into email threads.)
"The threat actors behind Qbot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals," said Yaniv Balmas, Check Point's head of cyber research, in a press statement.
"For now, I strongly recommend people to watch their emails closely for signs that indicate a phishing attempt — even when the email appears to come from a trusted source," Balmas added.
Another way to avoid infection by Qbot is to run the best antivirus software. Not only will good antivirus scanners spot and stop the malware, but some strains of Qbot check for the presence of antivirus software on a computer and stop their activity if it's detected.
A malware Swiss Army knife
To be fair, this isn't the first time Qbot has snuck phishing emails into ongoing threads, or even come packaged as an Emotet payload. Our friends at Bleeping Computer reported on Qbot doing both back in April 2019, based on a security-firm report that no longer seems to be available online.
Then as now, the infection comes in the form of a spear-phishing email tailored to the recipient. In the body of the email is a link to a document the recipient "needs" to see, purporting to be a resume, business document, tax form or, in the most recent campaigns, information about COVID-19.
If you click on that link, you'll download a .ZIP file that, if you're running Windows, will launch a Visual Basic script to download yet more malware. That malware will in turn check to see if you're running Microsoft Outlook. If so, it will upload many of your email threads to criminal servers so that they can be hijacked with yet more phishing emails.
The malware can also hijack your online banking sessions even when you're logged in, Check Point said. The firm estimates that about 100,000 machines have been infected since March, with the largest number of infections occurring in the United States.
Other strains of Qbot have been spotted hiding in booby-trapped Word documents, corrupting WordPress blogs to infect readers, embedding themselves in the Windows Registry so that they run upon system startup, hijacking Windows' own file-manager application and locking users out of their accounts.
Some variants even change their code three or four times a day to avoid being easily detected by antivirus software. For these reasons, the Check Point report says, Qbot "has become the malware equivalent of a Swiss Army knife."