Attackers are using fake Windows Defender Antivirus emails to distribute QBot malware.

The QBot Attack Campaign

In late August 2020, Bleeping Computer revealed that QBot had begun using a new template in its email attacks.

This template also used stolen branding. It displayed a fake security warning from Windows Defender Antivirus within a Microsoft Word document. The fake alert also copied logos stolen from three other real firms.

According to the template, the sender supposedly encrypted the Word document with ‘corporative firewall.’

It then instructed the user to decrypt the document’s contents by clicking ‘Enable Content’ and enabling macros.

Compliance with that request caused the document’s malicious macros to execute and to install Emotet malware on the victim’s computer.

What Is Emotet?

Emotet is a complex trojan that commonly operates as a downloader of other malware samples. In the attack described above, Emotet downloaded QBot onto the victim’s computer when installed.

During the summer of 2020, both Malwarebytes and Check Point observed a resurgence of Emotet activity after those responsible for the trojan had seemingly gone quiet for five months.

Emotet’s handlers didn’t hold back in the months that followed. At the beginning of October 2020, for instance, the U.S. Cybersecurity & Infrastructure Security Agency revealed in an advisory that it had detected 16,000 alerts pertaining to Emotet since July of that year.

The warning arrived just days after Bleeping Computer spotted an attack campaign in which Emotet capitalized on the interest surrounding the 2020 U.S. presidential election by sending out emails that referenced a legitimate Democratic National Convention initiative.

QBot Malware’s Busy Year

QBot also had its fair share of fun last year.

Back in June, for instance, F5 Labs spotted a dedicated campaign in which digital attackers used a browser hijack or redirection to target banks in the United States with the information-stealing trojan.

Things ramped up in August when QBot entered Check Point’s monthly top 10 malware index for the first time at 10th place. That same month, researchers at the security firm revealed that they had witnessed the malware using a new “email collector module” to extract email threads from a victim’s Outlook client and to upload that data to a remote server under its attackers’ control.

By the following month, this new trick had helped QBot to climb to sixth place on Check Point’s malware list.

In November, QBot followed the example of Emotet by wading into the 2020 presidential election. In this case, email attackers used claims of election tampering to trick people into opening corrupted Excel files.

How to Defend Against QBot Malware

The persistence of threats such as QBot and Emotet highlights the need for defenses against email-borne malware. They can do this by regularly testing their employees’ awareness with phishing attacks and by using role-based employee education to instruct the entire workforce about the types of threats that might enter their inboxes.

At the same time, consider developing dedicated incident response plans, processes and teams. These could help reduce the harm of a successful email attack that might be carrying a malware payload. To make sure they’re protected, you should test those processes and plans on a regular basis.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…