Qakbot: A banking Trojan being distributed via email hijacking

Qakbot is a sophisticated and highly dangerous banking Trojan that is primarily used to steal sensitive information such as login credentials, banking details, and other confidential data. It is also known as Qbot, Pinkslipbot, and Quackbot. The malware is capable of infecting both 32-bit and 64-bit versions of Microsoft Windows operating systems.

Researchers have discovered a fresh campaign that spreads Qbot through malicious PDF files attached to email replies or forwards. Spam emails are typically sent via the Geodo (Emotet) botnet. These emails contain attachments that seem like important documents (bills, invoices, etc.) but are actually malicious Microsoft Office [usually Word] documents. To infiltrate, Qakbot thieves try to deceive users into opening these files.

The reply, which is sent to the target individual and is disguised as a legitimate email that has been hacked includes a malicious file attached to it. The recipient addresses are located in the original email’s CC and recipient lists and the dates of the emails vary considerably from 2018 to 2022. The substance of the answers is independent of the subject line of the email andusers are nonetheless encouraged to open the attachment by the messages they include.

Users see the Microsoft Azure logo on the first page after opening the PDF files, along with an enticing message asking them to click the “Open” button. After that, a malicious URL is delivered to the user. As soon as the connection is established, a compressed ZIP file with a password gets downloaded. A closer look at the decompressed file revealed script code that was purposefully cloaked in fake text to avoid being detected by antivirus software.

Target countries that Qakbot is known to attack include the United States, Europe, Italy, Germany, Korea, and India. Qakbot is known to target mostly U.S. based companies and a variety of industries, including manufacturing, banking and financial services, healthcare, and the government.


SISA’s Latest
close slider