Researchers discovered Geodo botnets using a new spam campaign to deliver samples of Qakbot malware.

Cofense observed the botnets delivering non-Geodo malware since at least Jan. 28 via increasingly targeted phishing efforts. The attack begins when a user receives a phishing email containing a weaponized Microsoft Office document. That file contains malicious embedded macros that, when enabled, directly deliver Qakbot malware to the victim’s device. Researchers also witnessed the campaign leveraging IcedID, another banking Trojan, as its final payload.

In both cases, the campaign ends by replacing the binary content with that of calc.exe. This tactic is designed to help the campaign hide in plain sight, which signals Geodo’s evolution as a digital threat. Cofense found additional evidence of this evolution in Geodo’s use of targeted addressing, internal signatures and previous threads to prey on state-level government departments in the U.S. as part of a related malware campaign.

A Surge in Banking Trojans

This attack campaign comes amid a rise in activity for banking Trojans such as Qakbot and IcedID. Check Point observed a 50 percent increase in banking Trojan activity in the first half of 2018, with Dorkbot and Ramnit earning spots on the company’s “Most Wanted Malware” list for June of that year. Two months later, Ramnit placed even higher on Check Point’s monthly malware index.

Other security companies have also observed this trend among banking Trojans. For example, Kaspersky Lab detected 61,000 installation packages for mobile banking malware in Q2 2018 — more than a threefold growth over the previous quarter.

How to Defend Against Threats Like Qakbot Malware

Security professionals can help defend against digital threats like Qakbot malware by using tools such as VBA editor to analyze Office documents for malicious macros. Organizations should also lead by example and implement two-factor authentication (2FA) to prevent digital attackers from accessing and weaponizing their business email accounts.