New QBot Campaign Spreads Malware through PDF and Windows Script Files

A new malicious QBot campaign was recently discovered spreading on Windows devices through PDF and Windows Script Files. The former banking Trojan is notorious for facilitating initial access to compromised networks for threat actors.

Perpetrators are historically known to use QBot to deploy additional malware, such as Cobalt Strike beacons and backdoors, to move laterally on compromised networks.

Last year, researchers discovered a QBot operation spreading malware through Windows Installer Packages. The recent campaign, however, has shifted towards a hybrid approach, combining PDF attachments and Windows Script Files (WSF) to the same effect.

According to cybersecurity expert ProxyLife and the Cryptolaemus group, which unearthed QBot’s novel campaign, the malware still piggybacks on phishing emails to spread. Additionally, perpetrators now leverage rogue PDF documents with embedded malicious links that, when accessed, attempt to download a ZIP-compressed WSF to the user’s device.

This campaign requires heavy user interaction to infect a device: the victim must download the PDF attachment from the email, open it, click the obnoxious “Open” button it displays, extract the WSF from the newly downloaded ZIP file, then execute it. Despite the lengthy chain of events leading to the actual point of compromise, the human factor makes QBot infections still highly probable.

Once the script is executed, it attempts to fetch a QBot DLL from a list of URLs, trying each until the download succeeds. The malicious DLL gets automatically placed in the device’s %TEMP% folder, checks whether the device is connected to the Internet, injects itself into a legitimate Windows process (Windows Error Manager / wmgr.exe), then keeps running stealthily in the background.

ProxyLife published a list of Indicators of Compromise (IoCs) to help users determine whether the new QBot malicious campaign has infected them. Users with compromised devices are advised to take them offline as soon as possible, considering QBot can quickly spread to adjacent workstations once it establishes a point of compromise on the network.

Specialized software such as Bitdefender Ultimate Security can protect you against QBot and other strains of malware with its extensive library of features, including:

• All-around, continuous monitoring and protection against viruses, worms, spyware, Trojans, rootkits, ransomware, zero-day exploits, and other e-threats
• Behavioral detection module that thoroughly scans active apps for suspicious activity and takes instant action to prevent infections
• Anti-phishing technology that detects and blocks suspicious websites that masquerade as legitimate ones to steal your data or funds
• Antispam module that filters irrelevant, potentially harmful messages in your local email client’s inbox