Cybercrime as-a-service , Fraud Management & Cybercrime , Malware as-a-Service

US Election Interference-Themed Spam Spreads Banking Trojan

Fraudsters Using Election Concerns to Infect Devices with Qbot Malware
US Election Interference-Themed Spam Spreads Banking Trojan
Spam emails with US presidential election messages that hide the Qbot banking Trojan (Source: Malwarebytes)

Only a few hours after polls closed on Tuesday, fraudsters started using the uncertainty over the winner of the U.S. presidential election to send out spam messages that are designed to infect devices with the Qbot banking Trojan, according to Malwarebytes.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In this campaign, the fraudsters are hijacking email threads and using them to send spam or phishing emails that have an election theme as part of a social-engineering ploy. In many cases, the messages come with an attached zip file labeled "ElectionInterference" as a way to entice a target to open the document, according to Jerome Segura and Hossein Jazi, threat researchers with Malwarebytes.

"While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference," the two researchers note in their report.

The zip file contains a malicious Excel spreadsheet designed to look like a secure DocuSign file. If the macros are enabled, the document will then download a payload - the Qbot Trojan, according to the report.

QBot, or QakBot, is a well-known banking Trojan that has been circulating since at least 2008. In a report released in August, Check Point Research found the operators of this malware have recently changed its coding to allow it to hijack Microsoft Outlook email threads to spread additional malicious messages (see: Qbot Banking Trojan Now Hijacks Outlook Email Threads ).

The banking Trojan also can steal device information, passwords, emails and credit card details; act as a dropper to help install other malware, including ransomware, within an infected device; and connect to the victim's device to conduct banking transactions, according to the report.

In previous campaigns, Qbot has targeted the customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo, according to security researchers with F5 Labs.

Timely Lures

The Malwarebytes report notes that fraudsters wasted little time in recrafting phishing emails and spam to take advantage of the uncertainty that followed the presidential election on Tuesday and which remains undecided as of Thursday.

Malicious Excel spreadsheet designed to look like a secure DocuSign file (Source: Malwarebytes)

This follows a similar pattern that security researchers saw when the COVID-19 pandemic first hit in March (see: COVID-19 Phishing Schemes Escalate; FBI Issues Warning).

Even more recently, fraudsters sent out phishing emails that reportedly contained information about the health of President Donald Trump after he tested positive for COVID-19 (see: Trump's COVID-19 Illness Sparks Phishing Campaigns).

"Spam campaigns routinely abuse email delivery notifications (FedEx, DHL, etc.) or bank alerts to disguise malicious payloads," Segura and Jazi note in the report. "But world events such as the COVID pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios."

The Malwarebytes team notes that once the Qbot Trojan infects a compromised device and connects to its command-and-control server, the malware will begin harvesting emails from that device and turn those into spam that could eventually target other victims with election-themed messages, according to the report.

And while Tuesday's election passed without a major cyber incident, officials are still warning to be on the lookout for misinformation, as well as phishing campaigns and other frauds, which could materialize in the coming days as votes are tallied (see: Post-Election Day: US on Guard for Hacking, Misinformation).

Qbot and Emotet

While the Malwarebytes researchers found the operators of Qbot using the presidential election to spread the banking Trojan, other researchers have noted the malware is also delivered through the Emotet botnet, which has been active since July (see: Emotet Attacks Continue to Soar as Botnet Spreads Globally).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.