Conversation Hijacking Campaign Attempts to Deliver Qbot

The NJCCIC has received reports of a conversation hijacking campaign distributed via spoofed email messages attempting to deliver the Qbot banking trojan. These spoofed email messages appear to be replies to previous legitimate email conversations and contain OneDrive URLs linking to malicious ZIP files embedded with Visual Basic Script (VBScript). If executed, these files will download and install Qbot. Common subject lines associated with this campaign begin with “RE:” and include references to changes, updates, confirmations, and named individuals. Threat actors use highly-customized phishing techniques and realistic-looking email signatures to gain the target’s trust and trick them into downloading the malware. Qbot monitors the browsing activity of infected computers, records information from financial websites, and supports polymorphic capabilities, allowing it to self-mutate as it moves inside a network. Qbot may download files and exfiltrate other sensitive information including passwords from an infected system. The NJCCIC recommends educating users about this and similar phishing threats, reminding them never to click on links or open attachments delivered in unexpected or unsolicited emails. Users are advised to run updated anti-virus/anti-malware programs on all devices and enable multi-factor authentication where available to prevent account compromise as a result of credential theft.