QBot Using Election interference Baits in Phishing Campaigns

Following the trend of exploiting major world events, a new spam campaign has been observed delivering malicious attachments that exploit concerns and curiosity about the 2020 U.S. election process.

QBot causing interference

Recently, Malwarebytes Labs Threat Intelligence Team spotted a campaign with U.S. election-themed phishing emails, leveraging a new template.
  • In this campaign, threat actors were using hijacked email threads to push bogus DocuSign documents to lure potential victims into opening bait documents and enabling macros used to drop malware payloads.
  • QBot operators used this tactic to add legitimacy to the scam and earn the victim’s trust.
  • The malware was not only infecting the victims' computers but it also started collecting emails that could be used as part of their next malspam campaigns.

Recent Qbot attacks

In October, QBot was seen using Windows Defender Antivirus phishing bait to infect target computers.
  • In several instances, Emotet was seen dropping Qbot malware as a first stage or as a second stage malware payload.
  • In August, Qbot’s malspam campaigns were spreading globally and infecting targets to steal emails from a user's Outlook client for future exploitation.

Closing statement

With time, Qbot has become more dangerous. Since its resurgence last year, it has been launching malspam campaigns to infect organizations and manages to use a third-party infection infrastructure to spread the threat even further. It is anticipated that the threat actors behind Qbot are evolving their techniques and planning to take it further in the future.