Digital attackers launched a malicious email campaign that used fear of election interference in order to spread the QBot trojan.
On November 4, Malwarebytes came across an attack email. This message arrived as a thread reply in an attempt to boost its legitimacy.
The body of the email did not include the recipient’s name or other personal information. Instead, it gave a short salutation and asked the recipient to review an attached document entitled “ElectionInterference_529259401.xls.”
Those responsible for this campaign crafted the attached Excel sheet in such a way that it appeared to be a document encrypted by DocuSign. Subsequently, this file instructed the recipient to click the “Enable Content” button so that they could view its contents.
Compliance with this request caused a malicious macro to load QBot by pulling down the threat from a URL. This location was encoded in a cell of the Excel document’s Cyrillic-named sheet “Лист3.”
After establishing a connection with its Command-and-Control (C&C) server and receiving instructions, QBot got to work stealing emails that it could use for future malspam campaigns. It then gathered up those emails along with other stolen data and exfiltrated it to its handlers.
This attack wasn’t the first time that QBot made headlines in the last few months of the year. For instance, the trojan climbed from 10th place to 6th place on a monthly “most wanted malware” list for September 2020. Emotet, another malware family which is a common distributor of QBot, maintained its lead on that list for the third consecutive month.
Just days later, security researchers revealed that digital attackers had incorporated a Windows Defender Antivirus theme into their malicious documents that they used to spread QBot.
News of these campaigns highlight the need for organizations to defend themselves against email-borne attacks. They can do this by educating their users about some of the most common types of phishing attacks that are in circulation today.