QBot Banking Trojan Phishing Campaign
The NJCCIC has detected an active phishing campaign attempting to deliver the QBot banking trojan to New Jersey government accounts. These emails appear as replies to previous email threads and contain URLs linking to Visual Basic Script (VBScript) files. If executed, these files will install QBot. Common subject lines associated with this campaign include references to a portal, application, or tax information. QBot monitors the browsing activity of infected computers, records information from financial websites, and supports polymorphic capabilities, allowing it to self-mutate as it moves inside a network. Qbot may download files and exfiltrate other sensitive information including passwords from an infected system. The NJCCIC recommends educating end users about this and similar phishing threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Users are advised to run an up-to-date anti-virus/anti-malware program on all devices and enable multi-factor authentication where available to prevent account compromise as a result of credential theft.