A report published by Sophos on 10 March 2022, covering the same issue as Trend Micro in November 2021, warns us to be cautious with unrelated emails arriving within email threads.

Brief overview of Qakbot

Qakbot, also referred to as Qbot and Pinkslipbot, is a ‘modular information stealer’ that began as a banking Trojan (designed to steal financial data from infected systems) back in 2007 but has continued to evolve and is now used for data exfiltration (e.g., password theft), malicious payload delivery (e.g., installing ransomware and backdoors), and reconnaissance (e.g., determining the structure of the networks of potential targets).

As Microsoft noted in December 2021, it’s the ‘modular’ nature of Qakbot that has enabled a 15-year old threat to continue to cause problems today: “It enables attackers to pick and choose the “building blocks” they need for each attack chain depending on the network environment the malware lands on.”

Like others, Qakbot-based attacks have also provided a platform for attackers to sell access to infected devices to other attackers, who then proliferate their own attacks.

The latest Qakbot threat

What’s concerning us most recently, however, is the ability for Qakbot to insert itself into email threads (i.e., email conversations between two or more people) and seek to spread among the email recipients.

Sophos found that Qakbot is used to hijack email accounts, identify ongoing email conversations within the account, and then reply to those emails with a short sentence and links to infected Microsoft Office files.

As the Sophos authors noted, the danger comes from the fact that the “recipients may not realise that the Qakbot-spreading email messages are not just part of an ongoing conversation between multiple parties.”

How to protect data and systems from Qakbot

You can protect yourself from Qakbot, and other threats that spread through email, by following some general security guidelines:

  1. Don’t download attachments from or follow links in emails before verifying the sender and the authenticity of the content.
  2. Check the ‘target’ of links (i.e., where the link actually takes to you to, which may be different to the claimed destination) by hovering the mouse pointer above them.
  3. Establish the sender’s identity:
    1. Attackers often seek to disguise their identity. Things like email addresses that you don’t recognise, or email addresses that don’t appear to match sender names, are often signs that an email could be malicious.
    2. Attackers also attempt to masquerade as legitimate organisations. You and contact them directly (not by replying to the email you received) to check if an email purporting to be from them is genuine.
  4. Don’t turn off the inbuilt protections that Microsoft includes and activates by default in Office. If a file you’re attempting to open says you need to “Enable Content” or “Enable Editing”, and it’s come from someone you don’t know or has arrived unexpectedly, it’s probably malicious.
  5. Implement a good anti-malware solution, and preferably an ‘Endpoint Detection and Response’ (EDR) solution, which has greater capability to recognise and defend against unknown threats. You can read more about EDR and the SentinelOne solution that we provide at our Endpoint Security page, and just get in touch with us if you’d like a chat about it.
  6. Similarly, as so many threats use email as the distribution mechanism, it is usually advisable to implement a robust email security service. There’s more information on our Email Security page.