QBot malware has been a persistent threat to Windows devices for some time now, and the new phishing campaign using Windows Script Files (WSF) is making it easier than ever to infect these devices. The campaign utilizes reply-chain emails attachment with PDF files and is being distributed worldwide.
QBot DLL File Injected into Windows Error Manager, Allowing the Malware to Run Stealthily in the Background
According to the story by Bleeping Computer, when opened, the PDF file will download a ZIP file that contains a Windows Script File (WSF). The WSF file is heavily obfuscated, and its ultimate goal is to execute a malicious PowerShell script.
Upon execution of the PowerShell script, a stealthy QBot DLL file is downloaded and injected into the Windows Error Manager program, allowing the malware to run in the background.
Infection Speed: QBot Gains an Initial Foothold in Minutes
The speed at which QBot can infect Windows devices and move to adjacent workstations is alarming - it only takes around an hour for the malicious activity to spread and for valuable data to be stolen.
QBot malware is a formidable threat to businesses, as it provides threat actors with a way to gain an initial foothold on corporate networks. In recent reports, strains of QBot have been distributed through phishing emails using PDFs and Windows Script Files (WSF) to infect Windows devices.
The Potential Consequences of Clicking on a Reply-Chain Email
Reply-chain emails are used to make phishing emails less suspicious. The attached PDF appears innocuous, with a message of "This document contains protected files, to display them, click on the 'open' button."
Unfortunately, this will instead download a ZIP file containing an obfuscated WSF file and ultimately executes a PowerShell script. From there, the QBot malware will download and inject itself into the Windows Error Manager to run quietly in the background.
The Rapid Lateral Spread of QBot Infection
This initial infection provides threat actors access to other connected devices on a network, allowing the lateral spread of additional malicious payloads and the implantation of ransomware.
The ransomware threat is becoming increasingly dangerous for businesses as the exposure window for lateral spread is incredibly short. The DFIR Report has shown that it only requires 30 minutes for QBot to collect sensitive data and an hour from spreading it to other adjacent devices.
Therefore, it is crucial that businesses recognize the signs of a QBot infection and respond immediately to get the infected device offline to stop the lateral spread of malicious activity.
Read Also: Mac is Now Targeted by the LockBit Gang, New Ransomware Surfaces-Beware
Security Evaluation Following QBot Malware Detection
This incident response requires the shutdown of the infected computer and a full security evaluation of the entire network for any unusual behavior or attacks. Cryptolaemus1 shared the malware findings on Twitter.
This could include scanning for incoming and outgoing malicious traffic, scanning for installed malicious software, and examining accounts and services for signs of suspicious activity. These steps are essential to prevent the damaging effects of QBot malware, ransomware, and other malicious activity.
Related Article: Hong Kong Police Arrest 4 for Registering 7,300 SIM Cards, Fake IDs for Social Media Scams