QBot Malware Is Making a Comeback by Replacing IcedID in Malspam Campaigns
Malware Distributors Are Switching Between Trojans Meant to Deliver Various Ransomware Strains as a Final Payload.
In the first months of the year, researchers noticed a malicious email campaign spreading weaponized Office documents that was delivering QBot trojan, and changing the payload after a short while.
Qbot, also known as “Qakbot” or “Pinkslipbot,” is a banking trojan active since 2007 that’s focusing on stealing user data and banking credentials. The malware has evolved to include new delivery mechanisms, command and control (C2) techniques, and anti-analysis features. While some campaigns deliver Qbot directly, it was delivered as a secondary payload to other prominent malware such as Emotet.
Now, let’ take a look at IcedID, a malware that bears similarities to Emotet by being a modular malware that started its lifecycle as a banking trojan used to steal financial information. This malware has been circulating at increasing rates, thanks to a spate of email campaigns using Microsoft Excel spreadsheet file attachments.
IcedID was recognized as the new malware coming from the URLs that used to serve QBot, and after about a gap of a month and a half, the malware distributor switched the payload back to QBot (a.k.a. QakBot), which has been seen delivering Ryuk, Conti, Maze, Egregor, and ProLock ransomware in the past.
Malware researcher and reverse engineer reecDeep was the one that spotted this specific switch on Monday, concluding the fact that the campaign relies on updated XLM macros.
#Malspam spreading XLSM #Maldoc to spawn #AgentTesla #Malware
🔥
u@cometshippings.com
mail.[cometshippings.[com#infosec #CyberSecurity #DFIR #cybercrime #Security pic.twitter.com/ejlNYCazsA— reecDeep (@reecdeep) April 14, 2021
The malicious Office files are posing as a DocuSign document trying to trick users into enabling macro support for fetching the payload on the system.
An interesting find is the fact that the same trick was seen in the analysis by researchers at Intel 471 regarding the malware distributor’s switch to deliver IcedID in February 2021 about EtterSilent, a malicious document builder that’s been gaining in popularity due to its constant development and ability to bypass several security mechanisms (Windows Defender, AMSI and even email services).
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
One feature of the tool is that it can create malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption.