This powerful email malware attack uses PDF and WSF files to break your defenses

A PDF is used to infect target device with Qbot malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbotmalware.

Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others.

According to researchers ProxyLife and Cryptolaemus, cybercriminals are using hijacked email accounts to spread the malware. They would use the stolen account to reply to an email chain, in order not to look overly suspicious. In the replied message, they’d distribute a .PDF file called “CancellationLetter-[number]”. If the victim opens the file, they’d see a prompt saying “This document contains protected files, to display them, click the “open” button.”

Banking trojan evolution

Pressing the button, however, downloads a .ZIP file with a Windows Script (WSF) document. That file, as the researchers explain, is a mix of JavaScript and Visual Basic Script codes that download Qbot.

Qbot itself used to be a banking trojan, but has since evolved into full-blown malware that provides access to compromised endpoints. Large cybercriminal syndicates use Qbot to deliver stage-two malware. Most notably - ransomware.

Qbot malware found smuggled inside Windows Installer packages>Windows Follina zero-day now being abused to infect PCs with Qbot malware>Here are the best endpoint protection tools today

To defend against this attack, as well as countless similar ones out there, the best way is to first use common sense - if you’re not expecting an email, especially with an attachment, be sceptical about its contents. The same goes with links in email bodies - always verify before opening any links.

Furthermore, having proper cybersecurity solutions won’t hurt - an email security solution, an antivirus, or a firewall, will help in the battle against malware and ransomware. Also, having multi-factor authentication (MFA) set up on all accounts wherever possible is a great way to protect against data and identity theft.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Finally, keeping the hardware and software up to date is crucial. By applying the latest patches and firmware updates, you’re keeping your endpoints secure from known vulnerabilities that threat actors can abuse with malware.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics