A prolific botnet used to deliver malware, ransomware and other malicious payloads is spreading itself by hijacking email conversations in order to trick PC users into downloading it in what’s described as an “extremely active” phishing campaign.
Qakbot has plagued victims since 2008, since starting life as a banking trojan designed to steal usernames and passwords. The malware has continually added new capabilities, making it more dangerous and more effective. A recent campaign has been detailed by cybersecurity researchers at Sophos, who’ve warned that Qakbot is hijacking email threads to spread itself to more victims.
By hijacking ongoing email threads between real people, there’s a better chance that the phishing attacks will be effective because those receiving the message are likely to trust a sender they know and have received emails from in that same thread already.
Qakbot attacks are automated, spreading via the infected Windows computers of people who’ve already unwittingly fallen victim. Once installed on a compromised machine, Qakbot downloads a payload which hunts for email accounts, stealing the username and passwords required to get into them.
Automated tools then go through the inbox and use the compromised account to send out phishing emails using reply to all to existing email threads, quoting the original message being replied to make the response look more authentic.
These messages generally contain a snippet of brief text content with a request to look at an attachment, often a zip file. The messages can be sent out in a variety of languages, tailored to the language the original emails have been sent in.
While generic messages relating to paperwork or documents might seem too bland to lure people into opening malicious attachments, the fact that the messages look like they’re coming from someone the user knows, and has been talking to, could encourage them to let their guard down and open the file.
Anyone who does this risks their device being infected by Qakbot, leaving any sensitive information or accounts on the machine ripe for being stolen.
Machines infected with Qakbot can also be compromised with other malware, including ransomware. Cyber criminals can lease out the botnet to access machines infected with Qakbot in order to deliver their own malware payloads.
“Qakbot is a full-service botnet that performs data theft and malware delivery services on behalf of either themselves or third parties. They clearly take advantage of credential theft to access the websites belonging to innocent third parties to use for hosting payloads,” Andrew Brandt, principal researcher at Sophos Labs told ZDNet.
The malware remains what’s described as “extremely active” attempting to spread itself to new victims, while the authors Qakbot continue to add new features to it, including further obfuscating the malicious code to help it avoid detection and analysis.
Users should therefore be wary of unusual emails they receive, even if they’re from known contacts, because there’s the potential that messages could be coming from a contact infected with Qakbot.
“The best way to protect yourself is to train yourself to recognize when a message is out of character with the person allegedly sending it, and not to click the link to download the zip file,” said Brandt, who added that given the message is sent from the account of someone you know, you could contact them using different methods to email to check to see if it’s really them.
“Verify that they intended to send you the file before you open it,” he concluded.