QBot Trojan delivered via malspam campaign exploiting US election uncertainties

by chebbi abir

The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.

Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.

The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.

Hijacked email threads pushing bogus DocuSign documents

The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.

While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:

Figure 1: Malicious email with ElectionInterference attachment

The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.

Figure 2: Excel document containing malicious macro

This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.

Figure 3: Payload URL obfuscation

Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.

Figure 4: QBot process flow execution

World events are the best lure

At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.

Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.

Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.

Figure 5: Malwarebytes blocking the macro from delivering its payload

Indicators of Compromise

Malicious Excel documents





QBot C2s


MITRE ATT&CK techniques


Tactic ID Name Details
Execution T1059 Command-Line Interface Starts CMD.EXE for commands execution
  T1106 Execution through API Application launched itself
  T1053 Scheduled Task Loads the Task Scheduler COM API
Persistence T1050 New Service Executed as Windows Service
  T1060 Registry Run Keys / Startup Folder Changes the autorun value in the registry
  T1053 Scheduled Task Loads the Task Scheduler COM API
Privilege Escalation T1050 New Service Executed as Windows Service
  T1055 Process Injection Application was injected by another process
  T1053 Scheduled Task Loads the Task Scheduler COM API
Defense Evasion T1553 Install Root Certificate Changes settings of System certificates
  T1055 Process Injection Application was injected by another process
Discovery T1087 Account Discovery Starts NET.EXE to view/change users group
  T1135 Network Share Discovery Starts NET.EXE for network exploration
  T1069 Permission Groups Discovery Starts NET.EXE to view/change users group
  T1012 Query Registry Reads the machine GUID from the registry
  T1018 Remote System Discovery Starts NET.EXE for network exploration
  T1082 System Information Discovery Reads the machine GUID from the registry
  T1016 System Network Configuration Discovery

Uses IPCONFIG.EXE to discover IP address


To read the original article:  https://blog.malwarebytes.com/cybercrime/2020/11/qbot-delivered-via-malspam-campaign-exploiting-us-election-uncertainties/


Interdit de copier  ce contenu