Contact Us

Qakbot: A banking Trojan being distributed via email hijacking

Qakbot is a sophisticated and highly dangerous banking Trojan that is primarily used to steal sensitive information such as login credentials, banking details, and other confidential data. It is also known as Qbot, Pinkslipbot, and Quackbot. The malware is capable of infecting both 32-bit and 64-bit versions of Microsoft Windows operating systems.

Researchers have discovered a fresh campaign that spreads Qbot through malicious PDF files attached to email replies or forwards. Spam emails are typically sent via the Geodo (Emotet) botnet. These emails contain attachments that seem like important documents (bills, invoices, etc.) but are actually malicious Microsoft Office [usually Word] documents. To infiltrate, Qakbot thieves try to deceive users into opening these files.

The reply, which is sent to the target individual and is disguised as a legitimate email that has been hacked includes a malicious file attached to it. The recipient addresses are located in the original email’s CC and recipient lists and the dates of the emails vary considerably from 2018 to 2022. The substance of the answers is independent of the subject line of the email andusers are nonetheless encouraged to open the attachment by the messages they include.

Users see the Microsoft Azure logo on the first page after opening the PDF files, along with an enticing message asking them to click the “Open” button. After that, a malicious URL is delivered to the user. As soon as the connection is established, a compressed ZIP file with a password gets downloaded. A closer look at the decompressed file revealed script code that was purposefully cloaked in fake text to avoid being detected by antivirus software.

Target countries that Qakbot is known to attack include the United States, Europe, Italy, Germany, Korea, and India. Qakbot is known to target mostly U.S. based companies and a variety of industries, including manufacturing, banking and financial services, healthcare, and the government.

References:

  1. https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
  2. https://www.pcrisk.com/removal-guides/14443-qakbot-trojan

Related Articles

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Raspberry Robin resurfaces with WSF file campaign

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!