Also known as Qakbot and Pinkslipbot, QBot is an information stealer with backdoor and self-spreading capabilities that has been around since 2009 and which is often used as the initial infection vector in malicious attacks.
Earlier this year, QBot was distributed in attacks exploiting Follina, a Microsoft Support Diagnostic Tool (MSDT) vulnerability tracked as CVE-2022-30190, which leads to remote code execution.
Since 2020, one of the main infection methods employed by QBot’s operators has been the hijacking of email threads, a technique that has been used in multiple waves of attacks and which remains successful even today.
“Qbot steals email archives from infected devices and uses the stolen emails for subsequent mailings, with the acquired information being used to lure victims into opening those emails,” Kaspersky senior security researcher Victoria Vlasova explained in a conversation with SecurityWeek.
Between September 28 and October 7, Kaspersky observed close to 1,800 users being infected with QBot worldwide. More than half of the new victims are corporate users, Vlasova says.