Malicious spam campaign targeting organizations grows 10-fold in a month, spreads Qbot and Emotet malware

Malicious spam campaign targeting organizations grows 10-fold in a month, spreads Qbot and Emotet malware

23 April 2022

Kaspersky has unveiled a significant spike in activity from a malicious spam-email campaign, which spreads the dangerous malware Emotet and Qbot and targets corporate users. The number of such malicious emails grew from around 3000 in February 2022 to approximately 30 000 in March. The campaign is likely connected to the increasing activity of the Emotet botnet.

Kaspersky experts have detected significant growth in complex malicious spam emails targeting organizations in various countries. These emails are being distributed as part of a coordinated campaign that aims to spread Qbot and Emotet – two notorious banking Trojans that function as part of botnet networks. Both malware instances are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other devices in the network. One of the functions of Qbot is also to access and steal emails.

While this campaign has been ongoing for a few months, its activity increased rapidly from ~3000 emails in February 2022 to ~30 000 in March. Malicious emails have been detected in the English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian and Spanish languages.

The malware-spreading campaign is structured as follows: cybercriminals intercept already existing correspondence and send the recipients an email containing a file or link, which often leads to a legitimate popular cloud-hosting service. The aim of the email is to convince users to either (i) follow the link and download an archived document and open it – sometimes using a password mentioned in the email, or (ii) simply open an email attachment. To convince users to open or download the file the attackers usually state that it contains some important information, such as a commercial offer.

This archived document is detected by Kaspersky as HEUR:Trojan.MSOffice.Generic. In most cases it downloads and launches a Qbot dynamic library, but Kaspersky has also observed that some of these documents download Emotet instead.

A spam email sent in response to the target states that the link, which is in fact malicious, contains the documentation the recipient needs

Commenting on the campaign, Andrey Kovtun, security expert as Kaspersky, said: “Imitating work correspondence is a common trick employed by cybercriminals; however, this campaign is more complicated, since the attackers intercept an existing conversation and essentially insert themselves into it, which makes such messages harder to detect. While this scheme may resemble business email compromise attacks (BEC-attacks) – where the attackers pretend to be a colleague and have a conversation with the victim – here the attackers do not target specific individuals; business correspondence is just a smart way to increase the chances of the recipient opening the files.”

In order to stay safe from attacks by Qbot and Emotet, Kaspersky recommends the following:

  • Checking the sender’s address. Most spam comes from email addresses that don’t make sense or appear as gibberish – for example, amazondeals@tX94002222aitx2.com or similar. By hovering over the sender’s name, which itself may be spelled oddly, you can see the full email address. If you’re not sure if an email address is legitimate or not, you can put it into a search engine to check.
  • Being wary of the message creating a sense of urgency. Spammers often try to apply pressure by creating a sense of urgency. For example, the subject line may contain words like “urgent” or “immediate action required” – to pressure you into acting.
  • Providing your staff with basic cybersecurity hygiene training; also conducting a simulated phishing attack to ensure that they know how to distinguish phishing emails and genuine ones. 
  • Using a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through a phishing email. 
  • Installing a reliable security solution such as Kaspersky Secure Mail Gateway, which automatically filters out spam messages.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s