Cybercrime as-a-service , Fraud Management & Cybercrime , Malware as-a-Service
US Election Interference-Themed Spam Spreads Banking Trojan
Fraudsters Using Election Concerns to Infect Devices with Qbot MalwareOnly a few hours after polls closed on Tuesday, fraudsters started using the uncertainty over the winner of the U.S. presidential election to send out spam messages that are designed to infect devices with the Qbot banking Trojan, according to Malwarebytes.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
In this campaign, the fraudsters are hijacking email threads and using them to send spam or phishing emails that have an election theme as part of a social-engineering ploy. In many cases, the messages come with an attached zip file labeled "ElectionInterference" as a way to entice a target to open the document, according to Jerome Segura and Hossein Jazi, threat researchers with Malwarebytes.
"While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference," the two researchers note in their report.
The zip file contains a malicious Excel spreadsheet designed to look like a secure DocuSign file. If the macros are enabled, the document will then download a payload - the Qbot Trojan, according to the report.
QBot, or QakBot, is a well-known banking Trojan that has been circulating since at least 2008. In a report released in August, Check Point Research found the operators of this malware have recently changed its coding to allow it to hijack Microsoft Outlook email threads to spread additional malicious messages (see: Qbot Banking Trojan Now Hijacks Outlook Email Threads ).
The banking Trojan also can steal device information, passwords, emails and credit card details; act as a dropper to help install other malware, including ransomware, within an infected device; and connect to the victim's device to conduct banking transactions, according to the report.
In previous campaigns, Qbot has targeted the customers of several large financial institutions, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo, according to security researchers with F5 Labs.
Timely Lures
The Malwarebytes report notes that fraudsters wasted little time in recrafting phishing emails and spam to take advantage of the uncertainty that followed the presidential election on Tuesday and which remains undecided as of Thursday.
This follows a similar pattern that security researchers saw when the COVID-19 pandemic first hit in March (see: COVID-19 Phishing Schemes Escalate; FBI Issues Warning).
Even more recently, fraudsters sent out phishing emails that reportedly contained information about the health of President Donald Trump after he tested positive for COVID-19 (see: Trump's COVID-19 Illness Sparks Phishing Campaigns).
"Spam campaigns routinely abuse email delivery notifications (FedEx, DHL, etc.) or bank alerts to disguise malicious payloads," Segura and Jazi note in the report. "But world events such as the COVID pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios."
The Malwarebytes team notes that once the Qbot Trojan infects a compromised device and connects to its command-and-control server, the malware will begin harvesting emails from that device and turn those into spam that could eventually target other victims with election-themed messages, according to the report.
And while Tuesday's election passed without a major cyber incident, officials are still warning to be on the lookout for misinformation, as well as phishing campaigns and other frauds, which could materialize in the coming days as votes are tallied (see: Post-Election Day: US on Guard for Hacking, Misinformation).
Qbot and Emotet
While the Malwarebytes researchers found the operators of Qbot using the presidential election to spread the banking Trojan, other researchers have noted the malware is also delivered through the Emotet botnet, which has been active since July (see: Emotet Attacks Continue to Soar as Botnet Spreads Globally).