This powerful email malware attack uses PDF and WSF files to break your defenses

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbot malware.

Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others. 

According to researchers ProxyLife and Cryptolaemus, cybercriminals are using hijacked email accounts to spread the malware. They would use the stolen account to reply to an email chain, in order not to look overly suspicious. In the replied message, they’d distribute a .PDF file called “CancellationLetter-[number]”. If the victim opens the file, they’d see a prompt saying “This document contains protected files, to display them, click the “open” button.” 

Banking trojan evolution

Pressing the button, however, downloads a .ZIP file with a Windows Script (WSF) document. That file, as the researchers explain, is a mix of JavaScript and Visual Basic Script codes that download Qbot. 

Qbot itself used to be a banking trojan, but has since evolved into full-blown malware that provides access to compromised endpoints. Large cybercriminal syndicates use Qbot to deliver stage-two malware. Most notably - ransomware. 

To defend against this attack, as well as countless similar ones out there, the best way is to first use common sense - if you’re not expecting an email, especially with an attachment, be sceptical about its contents. The same goes with links in email bodies - always verify before opening any links. 

Furthermore, having proper cybersecurity solutions won’t hurt - an email security solution, an antivirus, or a firewall, will help in the battle against malware and ransomware. Also, having multi-factor authentication (MFA) set up on all accounts wherever possible is a great way to protect against data and identity theft. 

Finally, keeping the hardware and software up to date is crucial. By applying the latest patches and firmware updates, you’re keeping your endpoints secure from known vulnerabilities that threat actors can abuse with malware.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.