New QakBot(Qbot) Attack Wave: Emails with Malicious PDF Attachments

Only last November, we warned of aggressive phishing attacks using the Qakbot (QBot) malware. At that time, a malicious ISO file was used, which in turn contained an LNK file and the QakBot payload. Now the banking Trojan is strongly active again with a different attack method!

If it succeeds in penetrating corporate networks, it places additional payloads such as Cobalt Strike, Brute Ratel and other malware, which in turn allow potential attackers to access the compromised device. As a result, cybercriminals move laterally in the network without being detected, steal data and finally use ransomware for extortion attacks.

In April 2023, a high level of Qakbot activity is again observed: Windows users in companies are the focus. The distribution is targeted as a spear phishing email, this time with malicious PDF attachments that download script files from a remote server when Windows is opened.

Conversation hijacking tactic

The banking Trojan is spread via the potential victim's genuine business correspondence, which is hijacked by the cybercriminals. The so-called "conversation hijacking" tactic is used: by giving a plausible reason, the victim is asked to open the malicious PDF attachment (e.g. combined with a request to calculate an agreed order amount based on the estimated costs in the attachment). This can make the phishing email appear less suspicious.

The phishing e-mails will be sent in various languages - including German. When the protected PDF file is opened, a zip file is downloaded that contains a Windows script file (wsf) and eventually executes a PowerShell script on the infected computer. The PowerShell script attempts to download a DLL from a list of URLs until the file is successfully executed into the %TEMP% folder.


Source: bleepingcomputer.com

When the QBot DLL is executed, it runs the PING command to determine if there is an internet connection. The malware then inserts itself into the legitimate Windows program wermgr.exe (Windows Error Manager), where it runs unnoticed in the background.


Source: bleepingcomputer.com

Remain vigilant and bear in mind that cybercriminals are always evolving their tactics - and as in this case - integrating additional, convincing social engineering elements. Therefore, pay attention to the correct spelling of the sender's email address, strange attachments or grammatical errors.

If a device is infected with QBot, it is important to take the system offline as quickly as possible and to check the network completely for unusual behaviour.

Allgeier secion customers with an active Managed Service contract for Active Cyber Defense will of course be informed separately about malicious communication on their systems.