This powerful email malware attack uses PDF and WSF files to break your defenses
A PDF is used to infect target device with Qbot malware
Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbot malware.
Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others.
According to researchers ProxyLife and Cryptolaemus, cybercriminals are using hijacked email accounts to spread the malware. They would use the stolen account to reply to an email chain, in order not to look overly suspicious. In the replied message, they’d distribute a .PDF file called “CancellationLetter-[number]”. If the victim opens the file, they’d see a prompt saying “This document contains protected files, to display them, click the “open” button.”
Banking trojan evolution
Pressing the button, however, downloads a .ZIP file with a Windows Script (WSF) document. That file, as the researchers explain, is a mix of JavaScript and Visual Basic Script codes that download Qbot.
Qbot itself used to be a banking trojan, but has since evolved into full-blown malware that provides access to compromised endpoints. Large cybercriminal syndicates use Qbot to deliver stage-two malware. Most notably - ransomware.
To defend against this attack, as well as countless similar ones out there, the best way is to first use common sense - if you’re not expecting an email, especially with an attachment, be sceptical about its contents. The same goes with links in email bodies - always verify before opening any links.
Furthermore, having proper cybersecurity solutions won’t hurt - an email security solution, an antivirus, or a firewall, will help in the battle against malware and ransomware. Also, having multi-factor authentication (MFA) set up on all accounts wherever possible is a great way to protect against data and identity theft.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Finally, keeping the hardware and software up to date is crucial. By applying the latest patches and firmware updates, you’re keeping your endpoints secure from known vulnerabilities that threat actors can abuse with malware.
- Here's our list of the best identity theft protection right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.