Malspam Campaign Milks Election Uncertainty

Threat actors have taken advantage of the ongoing uncertainty around the 2020 U.S. election to unleash a new malspam campaign aimed at spreading the Qbot trojan.

Criminals behind Qbot resurfaced the day after the election with a wave of spam emails that attempt to lure victims with messages claiming to have information about election interference, according to new researchers.

“The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic,” researchers at Malwarebytes Labs reported in a posted Wednesday. “In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.”
Qbot, an ever-evolving information-stealing trojan that’s been around since 2008, reappeared this year after a hiatus to target customers of U.S. financial institutions with fresh capabilities to help it remain undetected. Its current incarnation has evolved into a “Swiss Army knife” of malware that can steal information, install ransomware, and making unauthorized banking transactions.

The latest e-mails observed by the MalwareBytes Labs team include ZIP attachments named “ElectionInterference_[8 to 9 digits].zip” and request that the recipient “Read the document and let me know what you think.”

If a victim takes the bait, they click on an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. “Users are tricked to allow macros in order to ‘decrypt’ the document,” researchers said.

Once the macro is enabled, it downloads a malicious payload containing the Qbot trojan with the URL encoded in a in a cell of a Cyrillic-named sheet “Лист3.” After execution, the trojan contacts its command and control server to request instructions for its nefarious activity. In this case, Qbot steals and exfiltrates victim data as well as collects e-mails that can be used in future malspam campaigns, researchers said.

The latest Qbot campaign uses a trick that the team behind the Emotet trojan—considered by the U.S. government to be one of the most prevalent ongoing cyber threats–also has used to “add legitimacy and make detection harder,” Segura and Jazi noted. That tactic is for the e-mails to arrive as thread replies to try to trick potential victims into thinking the message was part of a previous email conversation.

Indeed, Qbot previously has been linked to Emotet, hitching a ride with the malware as part of a distribution technique used in a campaign earlier this year. Qbot also was one of the pieces of malware distributed in an election-related Emotet spear-phishing campaign in early October that sent thousands of malicious emails purporting to be from the Democratic National Committee to recruit potential Democratic volunteers.

That threat actors are taking advantage of the uncertainty of the 2020 election–the official outcome of which remains unknown–comes as no surprise. Security researchers long expected that election day and its aftermath would be disrupted by cyber threat actors.

Indeed, the current election 2020 scenario is perfect fodder for the social-engineering schemes oft-used by threat actors to mass distribute malware via malicious e-mails, Segura and Jazi observed.

“Threat actors need to get victims to perform a certain set of actions in order to compromise them,” they wrote. “World events such as the Covid pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.