Kaspersky has discovered a significant increase in the activity of a malicious spam email operation that distributes malicious Emotet and Qbot software and targets business users. The number of such malicious emails rose from about 3,000 in February 2022 to nearly 30,000 in March. The operation is said to be related to the increased activity of the Emotet botnet.

Kaspersky experts have observed significant growth in complex, malicious spam emails targeting organizations in different countries. These emails are being distributed as part of a planned operation aimed at distributing Qbot and Emotet, two notorious banking Trojans that function as part of botnet networks. Both malware examples can steal data from users, collect data on the corporate network containing the virus, spread across the network, and install ransomware or other Trojan horses on other devices on the network. One of Qbot’s features stands out as opening and stealing emails.

Although this operation has been going on for several months, activity has grown from 3,000 emails in February 2022 to 30,000 in March. The operation detected malicious emails written in English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian and Spanish.

Here’s how the malware distribution operation works: Cyber ​​criminals intercept existing correspondence and send an email with a file or link that usually redirects recipients to a legitimate and popular cloud hosting service. The purpose of the email is to persuade users to follow the link and download an archived document, sometimes using a password provided in the email, or by simply opening the email attachment . To trick users into opening or downloading the file, attackers often say that the file contains important information, such as a commercial offer.

This document has been identified and registered by Kaspersky as HEUR:Trojan.MSOffice.Generic. When it opens, it downloads and launches Qbot’s dynamic library in most cases. However, Kaspersky also noted that this malware sometimes downloads Emotet.

Comment on dangerous operation Kaspersky security specialist Andrey Kovtun said: “Forging business correspondence is a common trick used by cyber criminals. However, this operation is more complex, as the attackers intercept an existing correspondence and insert themselves into it. This makes it difficult to detect such messages. This technique is similar to corporate email breach attacks (BEC attacks), where attackers impersonate a colleague and chat with the victim, but here the attackers do not target specific individuals. Business correspondence is a smart way to increase the chances of the recipient opening the files.

To protect against Qbot and Emotet attacks, Kaspersky recommends the following:

• The sender’s address must be verified. Most spam messages come from incomprehensible or ridiculous-looking email addresses. For example, [email protected] if. The full email address can be viewed by hovering over the sender’s name. To check whether an email address is legitimate, the address can be searched on a search engine.
• Beware of messages that create a sense of urgency. Spammers often try to put pressure on the file to be downloaded and opened, creating a sense of urgency. For example, the subject line might contain words like “urgent” or “need urgent action” to force action.
• Staff should receive basic cybersecurity training. Their skills can also be checked with a simulated phishing attack to check how to distinguish phishing emails from real ones.
• To reduce the chance of infection via phishing email, endpoints and mail servers should use a security solution with anti-phishing features, such as Kaspersky Endpoint Security for Business.
• A reliable security solution should be installed, such as Kaspersky Secure Mail Gateway, which automatically filters out spam.

Source: (BHA) – Beyaz News Agency