QBOT Spam Campaign
Written by Roland Middelweerd and Frank de Korte from the Northwave CERT
In recent months Northwave has seen an increase of spam campaigns containing the QBot backdoor malware. The threat actors behind the malware use stolen emails for these spam campaigns. The emails have a zip file attached which contain a Microsoft Office document. This document has an embedded malicious macro which installs Qbot upon execution. Images of commonly used software, such as Office 365 and DocuSign, are used to persuade users to execute the malicious macro. The section “Qbot Campaign” provides a detailed description of how Qbot works, using of their phishing campaigns.
In the past few months, the Northwave CERT investigated several ransomware infections where Qbot was used as initial access vector. The exact same modus operandi was found during each investigation. After the execution of Qbot malware, within 2 days (at most) ransomware was used to encrypt multiple systems. Ransomware strains Egregor and DoppelPaymer were found during the investigations. Reports mention that the ProLock ransomware strain has used Qbot in the past as initial access vector.
In August 2020, a large phishing campaign was launched with Qbot as attachment. Qbot teaming up with the new ransomware strain Egregor resulted in the infection of a large number of victims by the Egeregor ransomware2. According to MalwareBytes, even the elections of the United States of America were used for a phishing campaign of Qbot. Attachments referring to the uncertainty regarding the election results were used to persuade its victims. Northwave expects a new phishing campaign of Qbot starting from 21 January 2021 based on spikes in submissions on public anti-virus tools and in other malware trackers as well as an increase in calls to the Northwave CERT.
As mentioned before, Qbot uses stolen e-mails for their phishing campaigns. By using a legitimate e-mail history, it is more convincing to the victim that it concerns a legitimate e-mail. Although, the e-mail is actually sent from a different e-mailaddress. To the e-mail a zip file is attached. This zip file contains a Microsoft Office document (often Word or Excel). The contents of the e-mail generally ask the recipient to open the attachment. An example of such an e-mail can be found in Figure 1. These figure examples were obtained and shared by the SANS institute.