• A context-aware phishing email that includes a link to an online document is sent to the target.
• The phishing emails are disguised as delivery emails which are replies to existing email threads.

What is the issue – A phishing campaign disguised as delivery emails which are replies to existing email threads, delivers the Qbot trojan.

The big picture

JASK SpecOps security researchers described the delivery mechanism of Qbot trojan.

“The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly enough, the delivery email was actually a reply to a pre-existing email thread,” researchers said in a case study.

• A context-aware phishing email that includes a link to an online document is sent to the target.
• The phishing link to the document is actually a link to a VBScript-based dropper script which is designed to drop the Qbot malware.
• Upon clicking the malicious link, the Qbot payload will be downloaded on the already compromised machine with the help of the legitimate Windows BITSAdmin utility (bitsadmin.exe) in the form of an ‘August.png’ file.
• The Qbot malware will then start brute forcing network accounts for lateral movement purposes using a list of local account credentials.

“The dropper executes a stage two download, which SpecOps diagnosed as Qbot-related due to open source reporting and VirusTotal signature detection,” researchers said.