Woburn, MA — April 19, 2022 – Kaspersky has unveiled a significant spike in activity from a malicious spam-email campaign, which spreads the dangerous malware Emotet and Qbot and targets corporate users. The number of such malicious emails grew from around 3,000 in February 2022 to approximately 30,000 in March. The campaign is likely connected to the increasing activity of the Emotet botnet.
Kaspersky experts have detected significant growth in complex malicious spam emails targeting organizations in various countries. These emails are being distributed as part of a coordinated campaign that aims to spread Qbot and Emotet – two notorious banking Trojans that function as part of botnet networks. Both malware instances are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other devices in the network. One of the functions of Qbot is also to access and steal emails.
While this campaign has been ongoing for a few months, its activity increased rapidly from ~3,000 emails in February 2022 to ~30,000 in March. Malicious emails have been detected in the English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian and Spanish languages.
The malware-spreading campaign is structured as follows: cybercriminals intercept already existing correspondence and send the recipients an email containing a file or link, which often leads to a legitimate popular cloud-hosting service. The aim of the email is to convince users to either (i) follow the link and download an archived document and open it – sometimes using a password mentioned in the email, or (ii) simply open an email attachment. To convince users to open or download the file the attackers usually state that it contains some important information, such as a commercial offer.
This archived document is detected by Kaspersky as HEUR:Trojan.MSOffice.Generic. In most cases it downloads and launches a Qbot dynamic library, but Kaspersky has also observed that some of these documents download Emotet instead.
“Imitating work correspondence is a common trick employed by cybercriminals, however this campaign is more complicated as the attackers intercept an existing conversation and essentially insert themselves into it which makes such messages harder to detect,” comments Andrey Kovtun, security expert as Kaspersky. “While this scheme may resemble business email compromise attacks (BEC-attacks) – where the attackers pretend to be a colleague and have a conversation with the victim – here the attackers do not target specific individuals; business correspondence is just a smart way to increase the chances of the recipient opening the files.”
In order to stay safe from attacks by Qbot and Emotet, Kaspersky recommends the following:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.