Emails try to lure victims with malicious documents claiming to have information about voting interference.
Threat actors have taken advantage of the ongoing uncertainty around the 2020 U.S. election to unleash a new malspam campaign aimed at spreading the Qbot trojan.
Criminals behind Qbot resurfaced the day after the election with a wave of spam emails that attempt to lure victims with messages claiming to have information about election interference, according to new researchers.
āThe 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic,ā researchers atĀ Malwarebytes Labs reported in a posted Wednesday. āIn this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.āQbot, an ever-evolving information-stealing trojan thatās been around since 2008, reappeared this year after a hiatus to target customers of U.S. financial institutions with fresh capabilities to help it remain undetected. Its current incarnation has evolved into a āSwiss Army knifeā of malware that can steal information, install ransomware, and making unauthorized banking transactions.
The latest e-mails observed by the MalwareBytes Labs team include ZIP attachments named āElectionInterference_[8 to 9 digits].zipā and request that the recipient āRead the document and let me know what you think.ā
If a victim takes the bait, they click on an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. āUsers are tricked to allow macros in order to ādecryptā the document,ā researchers said.
Once the macro is enabled, it downloads a malicious payload containing the Qbot trojan with the URL encoded in a in a cell ofĀ a Cyrillic-named sheet āŠŠøŃŃ3.ā After execution, the trojan contacts its command and control server to request instructions for its nefarious activity. In this case, Qbot steals and exfiltrates victim data as well as collects e-mails that can be used in future malspam campaigns, researchers said.
The latest Qbot campaign uses a trick that the team behind the Emotet trojanāconsidered by the U.S. government to be one of the most prevalent ongoing cyber threatsāalso has used to āadd legitimacy and make detection harder,ā Segura and Jazi noted. That tactic is for the e-mails to arrive as thread replies to try to trick potential victims into thinking the message was part of a previous email conversation.
Indeed, Qbot previously has been linked to Emotet, hitching a ride with the malware as part of a distribution technique used in a campaign earlier this year. Qbot also was one of the pieces of malware distributed in an election-related Emotet spear-phishing campaign in early October that sent thousands of malicious emails purporting to be from the Democratic National Committee to recruit potential Democratic volunteers.
That threat actors are taking advantage of the uncertainty of the 2020 electionāthe official outcome of which remains unknownācomes as no surprise. Security researchers long expected that election day and its aftermath would be disrupted by cyber threat actors.
Indeed, the current election 2020 scenario is perfect fodder for the social-engineering schemes oft-used by threat actors to mass distribute malware via malicious e-mails, Segura and Jazi observed.
āThreat actors need to get victims to perform a certain set of actions in order to compromise them,ā they wrote. āWorld events such as the Covid pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios.ā
Hackers Put Bullseye on Healthcare:Ā On Nov. 18 at 2 p.m. EDTĀ find out why hospitals are getting hammered by ransomware attacks in 2020.Ā Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for thisĀ LIVE, limited-engagement webinar.