A new version of the decade-old Qbot Trojan has been detected in the wild with new features, including the ability to hijack Microsoft Outlook email threads.

Detailed today by security researchers at Check Point Software Technologies Ltd., the new version of Qbot is described as having become the malware equivalent of a Swiss Army knife.

The new version is said to be capable of stealing information from infection machines such as passwords and credit card information. It can also install other malware including ransomware, allow the bot controller to connect to a victim’s computer to make banking transactions, and hijack user’s legitimate email threads and using those threads to try to infect other machines.

The new version of Qbot was first detected in the latest Emotet Trojan campaign that was detected in July. Emotet in turn is distributed through a phishing campaign targeting Microsoft Office users and notably was described July 19 as often waiting “days or even weeks to take further action, including the ability to install other forms of malware on a victim’s computer.”

One form of malware being installed from the Emotet campaign is Qbot with the researchers able to use the sample to discover both a renewed command and control infrastructure along with the brand new malware techniques.

The new version Qbot was also detected being distributed directly through a so-called “malspam” campaign in August. The Trojan was observed activating a special “email collector module,” which extracts all email threads from the victim’s Outlook client and uploads it to a remote server for later use in ongoing malspam campaigns.

“These days Qbot is much more dangerous than it was previously — it has active malspam campaigns, which infects organizations and it manages to use a third-party infection infrastructure like Emotet’s to spread the threat even further,” the researchers noted.

Vinay Sridhara, chief technology officer at cybersecurity company Balbix Inc., told SiliconANGLE that the Qbot Trojan’s malware can also install additional malware and ransomware, such as mimikatz, which harvests credentials.

“Basically, QBot preys on several common end-user weaknesses,” he said. “One of the ways that companies can help their employees from falling victim to this malware and other cyberthreats is to teach password management and hygiene, as hackers are taking advantage of rampant password reuse.”

Sridhara also said it’s important to engage with users continuously on appropriate cyberhygiene. “With the initial payload delivered via URLs in documents, training is an important factor,” he said. “It’s helpful to keep track of your highest risk users as well, via automated, AI-based tools that identify risky behavior that’s likely to lead to phishing or malware downloads.”

Photo: Jorge Lascar/Wikimedia Commons