QBot Malware Hijack Business Emails To Drop Malware Via Weaponized PDF Files

Beware of the latest phishing campaigns that distribute the QBot malware via PDFs and Windows Script Files (WSF) to infiltrate your Windows devices.

Qbot (aka QakBot, QuackBot, and Pinkslipbot) is a sneaky cyber threat once a banking trojan. Still, it has become malware that opens doors for other malicious actors to enter corporate networks.


Qbot achieves initial access by dropping dangerous payloads like:-

As a result, the compromised device becomes accessible to other threat actors.

Once Qbot has created an entry point, other cybercriminals can spread throughout the network, stealing confidential information and deploying ransomware as extortion.

Statistical Analysis

Malicious PDF attachments were first received on the evening of April 4, followed by a mass email campaign that started at 12:00 pm the next day and continued until 9:00 pm, with approximately 1,000 letters detected. 

Another surge occurred on April 6, with over 1,500 letters sent and more messages in the next few days. 

On the evening of April 12, another 2,000 letters were sent, after which cybercriminal activity decreased, but users still received fraudulent messages.

Infection Chain

It has been observed by the Securelist researchers that the virus spread via emails composed in various languages, with a range of versions constantly appearing in:-

  • English
  • German
  • Italian
  • French

The hackers got hold of genuine business letters, allowing them to infiltrate the email chain by adding their messages.

Typically, the letters would encourage the recipient, using a convincing excuse, to open a PDF attachment.

Using fake business emails can hinder spam detection and boost the chances of victims falling prey to the scam.

To create a sense of authenticity, the attackers used the name of the previous letter’s sender in the ‘From’ field. 

However, the fake email address used by the sender will differ from the actual correspondent. Since 2007, the banking Trojan QBot has been on the market.

Since then, various modifications and improvements have occurred, and it has become one of the most active malware currently being spread on the Internet.

The PDF attachment masquerades as an Office 365 or Azure notification, urging the user to click ‘Open’ to view the enclosed files.

Once the user follows through, they’ll receive an archive from a remote server, which may be compromised.

The archive will be secured using the password provided in the original PDF file.

There is a file called .wsf in the downloaded archive that contains an obfuscated script that is written in JScript.

The QBot malware distribution campaign uses a heavily obfuscated WSF file that aims to run a PowerShell script on the victim’s computer.

From a list of URLs, the PowerShell script tries to download a DLL, and the WSF file executes this PowerShell script.

The QBot DLL checks if there is an internet connection by executing the PING command when it is loaded and executed. 

Once downloaded, the malware will inject itself into the legitimate Windows wermgr.exe program, operating unnoticed in the background.

Comprehending the QBot malware’s distribution methods is crucial since infections can result in severe corporate network attacks.

Why do Organizations need Unified endpoint management – 
Download Free E-books & Whitepapers

Also, Read

QBot Malware Using Windows Calculator to Deploy Payload on Infected Computers

Hackers Increasingly Use Microsoft OneNote to Deliver Malware

Rozena Backdoor Malware Uses a Fileless Attack to Injecting Remote Shell on Windows

Prometheus TDS – An Underground Service Distributes Malware to Attack Via Hacked Websites

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.