Check Point experts present monthly threat report Global Threat Index for August 2020. According to researchers, the updated Qbot Trojan (aka QuakBot, Qakbot and Pinkslipbot) entered the top ten most widespread malware in the world for the first time, where it took the last tenth place.
Qbot was discovered by experts back in 2008, and over the years it has evolved from an ordinary info-stealer into a real "Swiss knife" for hackers. Today, Qbot is capable of delivering other types of malware to an infected system, for example, and can even be used to remotely connect to a target system to carry out banking transactions using the victim's IP address. As a rule, Qbot spreads in a classic way: by means of phishing emails that contain dangerous attachments or lure users to malicious sites controlled by hackers.
Check Point experts remind that the updated version of Qbot can steal emails from its victims and then use them to send spam, thereby creating more believable decoys.
Between March and August 2020, Check Point researchers discovered several campaigns with an updated version of Qbot, including a campaign where malware was distributed using Emotet. According to experts, in July 2020, this campaign affected 5% of organizations in the world.
“Attackers are always looking for ways to improve malware. Now they are clearly investing heavily in the development of Qbot – it can be used for mass theft of data from organizations and ordinary users, says Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS. – We have already seen active malicious spam campaigns that Qbot has been distributing. We also noted that sometimes Qbot is distributed by another Trojan, Emotet. Companies need to consider introducing security solutions that will prevent such content from reaching users. It is important to remind employees to be very careful when opening emails, even if at first glance they appear to come from a trusted source. ”
Overall, in August 2020, the top most active malware in Russia was as follows:
- Emotet Is an advanced self-propagating modular Trojan. Was once an ordinary banker, but has recently been used to distribute malware and campaigns. The new functionality allows you to send phishing emails containing malicious attachments or links.
- Agent tesla– Advanced Remote Access Trojan (RAT). AgentTesla has been infecting computers since 2014, acting as a keylogger and password stealer.
- Pykspa Is a worm that spreads by sending messages to Skype contacts. It extracts personal information about users from devices and communicates with control servers using domain generation algorithms (DGA).
The world top is slightly different. For example, this month, Emotet remained the most widespread malware in the world and affected 14% of organizations, followed by Agent Tesla and Formbook, each of which attacked 3% of companies. FormBook is an info-stealer first discovered in 2016. It is marketed as MaaS in underground hacking forums due to its advanced evasion techniques and relatively low cost. FormBook collects credentials from various browsers, takes screenshots, monitors and logs keystrokes, and can download and execute files as ordered from the command server.