A notorious botnet with a RAP sheet going back 15 years has been spotted using a novel attack technique. Qakbot, also known as Qbot, was observed by researchers at Sophos Labs inserting itself into the middle of active email threads, using the compromised accounts of victims whose systems had already succumbed to the malware.
Cyber-criminals have long used variations of Qakbot to gather data and perform reconnaissance inside victims’ networks illegally.
In research published Thursday, researchers said that the malicious comments which cropped up in conversations thanks to Qakbot took the form of a reply-all message. The message contained a short sentence together with a link to download a zip file containing a malicious Office document.
The links may appear as straightforward URLs or as hotlinked text in the body of the email. Targets who follow the links and open the document become victims of the botnet.
Researchers Andrew Brandt and Steeve Gaudreault noted that the mimicking abilities of Qakbot make this new email insertion attack challenging to spot.
They said: “Because the malware is so good at doing this – quoting the original message after its malicious reply – it can be challenging for the targets of these attacks to recognize that the messages they receive didn’t come from the human being who owns the email box where they originated.”
In one attack, during which Qakbot sent a listserv announcement about a musical concert, the malware delivered at least three different payloads, including a web injector for stealing login credentials and an ARP-scanning component that attempted to profile the network on which it was running.
Researchers noted that a Qakbot infection might be an omen that another more serious attack is about to occur.
“The presence of Qakbot infections, generally, also correlates highly with the precursor indicators that a ransomware attack may begin shortly,” they wrote.
They added: “We’ve encountered Qakbot samples that deliver Cobalt Strike beacons directly to the infected host, providing the operators of the botnet with a secondary revenue stream: Once the Qakbot-operating threat actors have used the infected computer to their satisfaction, they can then lease out or sell access to the compromised network by transferring access to these beacons to other threat actors.”