The infamous Qbot banking trojan has recently been spotted again, infecting tens of thousands of machines to date, mainly in the US
Also known as Quakbot, QakBot and Pinkslipbot, the Qbot trojan is a highly-maintained malware, with sophisticated evasion and persistence capabilities, and equipped with a worm-like functionality enabling it to spread quickly through networks.
Method of distribution
The malware is designed to steal domain and banking credentials and is usually hidden within a malicious document.
Arriving as an attachment to an email sent from a familiar address (usually hacked), it is disguised as an innocent-looking invoice, payment notice or other banking document.
When the user opens the document, he/she is prompted by a spoofed system or security message, to click a macro-enabling button such as ‘Content enable’ (see image below).
Once enabled, a script is activated prompting a chain of hidden processes that install multiple components of the malware at various locations on the victim’s machine.
A spoofed Windows Defender message
GateScanner Mail control panel: MS Word doc. CDR definitions
Applying a CDR-based network defense strategy on incoming file channels gives the IT security team the most advanced tools available to prevent and thwart file-based cyber-attacks such as the Qbot trojan, while maintaining minimal impact on the functionality and day to day operations of the organization.