When Microsoft started blocking macros in Internet-delivered Office files, threat actors had to come up with new ways of distributing malware via email. Since then, there has been a rise in the use of OneNote files in phishing attacks. OneNote files allow scripts to be embedded and serve as an ideal replacement for Office files and macros; however, Microsoft has responded with security updates for OneNote to prevent this technique from being used for malware distribution. There has also been an increase in the use of container files to bypass protections, which include compressed files such as .rar and .zip, and .iso files.

Another method of bypassing these protections has been adopted to distribute QBot malware. QBot is used to gain initial access to business networks and is often used to drop malware payloads for other threat actors. QBot used to be delivered via phishing emails using malicious macros in Office file attachments, but that technique is no longer viable due to Microsoft’s updates. Instead, the threat actor is now using a combination of .pdf files and Windows Script Files. The phishing emails have a .pdf attachment, which downloads a .wsf file, which is used to deliver QBot.

The emails used in this campaign are reply chain emails, which makes it appear that the emails have been sent as a reply to a previous conversation. That increases the chances of the email being opened as employees are usually trained to be suspicious of unsolicited emails from unknown senders. If the attachment is opened, the PDF file states that the document is protected, and the user is required to click an ‘open’ link, which will trigger a download of a .zip file that includes a Windows Script file.

If the user double clicks that file, the script will be executed, which will run a PowerShell script that will deliver QBot from a hardcoded URL and execute the malware. QBot will be injected into the Windows Error Manager program and will run silently in the background. QBot will steal sensitive data and can move laterally and compromise other devices on the network. Once data has been stolen, access to QBot-infected devices is sold to ransomware gangs. A single device infected with QBot can easily end with large-scale data theft and a network-wide ransomware attack.

The latest campaign involves PDF file attachments, but the methods used for distributing malware such as QBot often change and will continue to do so. The key to improving security is to adopt a defense-in-depth approach, where there are multiple overlapping layers of security in place. If any one measure fails, others will be in place to continue to provide protection.

An email security solution such as SpamTitan is a good place to start. SpamTitan Email Security adds multiple layers of security to your defenses by performing extensive checks on all inbound and outbound emails. Message headers are checked, as is the reputation of the sender, and machine learning techniques are used to identify messages that deviate from the normal messages a user receives. Multiple scans are conducted on email attachments looking for malware and malicious scripts, including signature-based and behavior-based detection through dual antivirus engines and a Bitdefender-powered sandbox. Links are checked and followed to block phishing and malware downloads.

A web filtering solution is an important security measure for blocking the web-based component of these attacks. All attempts to connect with a URL – including automated attempts and clicks by users – will be assessed in real time and blocked if an attempt is made to connect to a known malicious URL. WebTitan can be configured to block downloads of executable files, such as .wsf files, and controls can be implemented to restrict access to websites to confirmed benign URLs.

Email-based attacks attempt to exploit human weaknesses so it is also important to improve your human defenses through security awareness training. The SafeTitan security awareness training platform can be used to automate workforce training and teach security best practices and eliminate risky behaviors, and make employees aware of the threats they are likely to encounter. The platform also includes a phishing simulator with hundreds of phishing templates to test employees to see how they respond to real-world threats, and automatically assigns further training modules if they fail a phishing simulation. These three solutions can be adopted by businesses to greatly improve their security posture against current and evolving threats. Speak with TitanHQ today to find out more.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.