Kaspersky, a cybersecurity company, recently detected an increase in the spread of Qbot malware through a campaign that relied on malicious emails with PDF attachments targeting corporate users. The attackers use advanced social engineering techniques by intercepting business correspondence and redirecting malicious PDF attachments to the same email chains. This method is unusual for using such malware, making it even more dangerous. The campaign started on April 4, 2023, and has already sent more than 5,000 emails containing PDF attachments in different countries.
Qbot malware belongs to the notorious class of Trojans that target banks and operate as part of a botnet. It can seize data, including passwords and work correspondence, allowing attackers to take control of the infected system and install ransomware or other Trojans on more machines within the same network. Malware operators use various distribution schemes, and this campaign is using emails with malicious attachments in PDF format, which has not been seen on a large scale before.
The malware is distributed through a victim’s business correspondence captured by cybercriminals. They then send an email to all participants in the thread, usually asking them to open the attached malicious PDF file under various seemingly suspicious circumstances. To protect companies from related threats, Kaspersky recommends verifying the sender’s address, avoiding urgent messages, providing basic training to employees on cyber intelligence, and using endpoint and mail server protection solutions with anti-phishing capabilities.
Malware analysis expert at Kaspersky, Daria Ivanova, warns that Qbot is very harmful, and attackers are constantly improving their techniques, adding more and more new elements that seem convincing to victims in social engineering methods, increasing the possibility of employees falling victim to this deceptive ploy. Therefore, companies should maintain the highest levels of vigilance and carefully check for red flags, such as spelling of the sender’s email address, strange attachments, and grammatical errors.
The content of the PDF file simulates the Microsoft Office 365 or Microsoft Azure logo, and if the user clicks the “Open” option, the malicious archive is downloaded to the computer from a remote server, such as a hacked website. Kaspersky experts conducted a detailed technical analysis of this process to protect companies from related threats. They recommend installing a trusted security solution, such as Kaspersky Secure Mail Gateway, which automatically filters out unwanted messages, and using endpoint and mail server protection solutions with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business.