An insidious botnet is inserting itself into authentic communication between trusted parties, to trick them into clicking on malicious links so it can steal personal data and send spam, says a study by Sophos.
“Qakbot inserted malicious messages into existing email conversations,” said Sophos. “The user was asked to ‘enable content’ to activate the infection chain. Once a new target was infected it performed a profile scan, sharing the data with its command-and-control server and then downloading additional malicious modules.”
The bogus messages inserted into genuine email threads typically contain brief text content, followed by a link to download a zip file. These links come in the form of bare URLs or hotlinked text in the body of the fake message.
Qakbot is described by Sophos as “an increasingly complex and dangerous botnet that features unconventional encryption, which it also uses to conceal the content of its communications.”
The Sophos study learned that Qakbot deploys at least three malicious payloads: a module to inject password-stealing code into web pages, another that conducts network scans to collect information about other devices near the infected computer, and a third that tries to connect with email servers so it can bombard them with spam.
“Because the malware is so good at doing this – quoting the original message after its malicious reply – it can be challenging for the targets of these attacks to recognize that the messages they receive didn’t come from the human being who owns the email box where they originated,” added Sophos.
Sophos added that Qakbot’s resurgence in recent months could be explained by its competitors – other email-driven botnets such as Emotet and Trickbot – suffering setbacks at the hands of tech companies, law enforcement agencies, and even disgruntled former criminal partners.
More from Cybernews:
Subscribe to our newsletter