More than 800 corporate users have been infected in a new QBot malware distribution campaign since September 28, Kaspersky warns.
Also known as Qakbot and Pinkslipbot, QBot is an information stealer with backdoor and self-spreading capabilities that has been around since 2009 and which is often used as the initial infection vector in malicious attacks.
Earlier this year, QBot was distributed in attacks exploiting Follina, a Microsoft Support Diagnostic Tool (MSDT) vulnerability tracked as CVE-2022-30190, which leads to remote code execution.
Since 2020, one of the main infection methods employed by QBot’s operators has been the hijacking of email threads, a technique that has been used in multiple waves of attacks and which remains successful even today.
“Qbot steals email archives from infected devices and uses the stolen emails for subsequent mailings, with the acquired information being used to lure victims into opening those emails,” Kaspersky senior security researcher Victoria Vlasova explained in a conversation with SecurityWeek.
Between September 28 and October 7, Kaspersky observed close to 1,800 users being infected with QBot worldwide. More than half of the new victims are corporate users, Vlasova says.
According to the security researcher, the United States, Italy, Germany, and India are the countries targeted the most in this new campaign.
Out of a total of 220 victims in the United States, 95 are corporate users, potentially exposing their organizations to further malicious activity, including the distribution of ransomware and other malware families.
“Employees should be especially careful now when communicating in business correspondence so as not to accidentally open a malicious file with Qbot,” Vlasova points out.
Kaspersky could not confirm the number of potentially impacted organizations and the industries that have been affected the most in this campaign.
“Corporate users can be either one in a particular organization or several in one and we cannot tell the exact number of impacted organizations in this case either,” Vlasova noted.
Given that Kaspersky has provided infection details based on data collected by its security products only, the total number of new QBot infections might be much higher.
Related: New ‘Maggie’ Backdoor Targeting Microsoft SQL Servers
Related: New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems
Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications