After a pause, a malicious campaign targeting organisations with the dangerous Qbot malware is returning, and Kaspersky has detected a new wave of activity targeting users all around the world.
According to Kaspersky telemetry, United Arab Emirates and Egypt are among the TOP 10 affected countries globally. Corporate users from the META region (Middle East, Türkiye, Africa) countries account for approximately 20% of all corporate users affected globally.
Qbot is a notorious banking Trojan, capable of stealing users’ data and emails from infected corporate networks, spreading further in the network, and installing ransomware or other Trojans on other devices in the network.
Cybercriminals allegedly intercept active email conversations on business matters and send the recipients a message containing a link with an archived file with a password to download to infect their devices with a banking trojan. To convince users to open or download the file, the attackers usually state that it contains some important information, such as a commercial offer.
Such a scheme makes these messages harder to detect and increases the chances that the recipient will fall for the trick. Kaspersky have detected more than 400 infected sites spreading Qbot so far.
“Imitating work correspondence is a common trick employed by cybercriminals; however this campaign is more complicated as the attackers use an existing and previously stolen conversation to send a deceptive message as if in continuation of the correspondence,” says Victoria Vlasova, senior security researcher at Kaspersky.
“This method increases the chances of the recipient opening the files. Therefore, we advocate that employees should be especially careful now when communicating in business correspondence so as not to accidentally open a malicious file with Qbot.”