According to MalwareBytes, even the elections of the United States of America were used for a phishing campaign of Qbot. Qbot teaming up with the new ransomware strain Egregor resulted in the infection of a large number of victims by the Egeregor ransomware 2. In August 2020, a large phishing campaign was launched with Qbot as attachment. Reports mention that the ProLock ransomware strain has used Qbot in the past as initial access vector. Ransomware strains Egregor and DoppelPaymer were found during the investigations. After the execution of Qbot malware, within 2 days (at most) ransomware was used to encrypt multiple systems. The exact same modus operandi was found during each investigation. In the past few months, the Northwave CERT investigated several ransomware infections where Qbot was used as initial access vector. The section “Qbot Campaign” provides a detailed description of how Qbot works, using of their phishing campaigns. Images of commonly used software, such as Office 365 and DocuSign, are used to persuade users to execute the malicious macro. This document has an embedded malicious macro which installs Qbot upon execution.
#Malwarebytes blogs zip file#
The emails have a zip file attached which contain a Microsoft Office document. The threat actors behind the malware use stolen emails for these spam campaigns. In recent months Northwave has seen an increase of spam campaigns containing the QBot backdoor malware. QBOT Spam Campaign Written by Roland Middelweerd and Frank de Korte from the Northwave CERT
0 kommentar(er)
