Qbot Takes New Distribution Method to Infect Korean Users

Diving into details

• The email is disguised as a hijacked normal email, with a reply sent to the target user, along with a malicious file attached. 
• The recipient addresses are obtained from the original email's recipients and CC list. Notably, the dates of the original emails span a wide range from 2018 to 2022, indicating that they are not recent. 
• The contents of the replies are unrelated to the original email. However, they contain messages that entice users to open the attachment.

Getting infected

• Upon opening the PDF files, users are presented with a page displaying the Microsoft Azure logo, along with a persuasive message urging them to click the "Open" button.
• Subsequently, the user is redirected to a malicious URL. Upon establishing a connection, a password-protected compressed ZIP file is downloaded. 
• Further investigation of the decompressed file revealed obfuscated script code hidden among dummy text, designed to evade antivirus detection.

More on Qakbot

• In March, researchers spotted a network intrusion, in which the threat actors gained initial access via Qbot and later deployed the Black Basta ransomware.  
• In a February campaign, the malware operators started experimenting with OneNote as a new distribution method. Dubbed QakNote, the spam campaign disseminated Microsoft OneNote attachments embedded with an HTML file.

The bottom line