A recent study published on June 10 by risk solutions provider Kroll has stated that there is a growing trend in the use of the Qakbot trojan, or Qbot. Kroll’s Cyber Risk team discovered that hackers are using Qbot to launch email thread hijacking campaigns and then deploy ransomware attacks.
Banking trojans are the most commonly used to launch ransomware attacks. Based on these findings and those of analysts from the National Cyber-Forensics and Training Alliance, these criminal elements seek to steal financial data. They target many industries including education, media, and academia.
Nonetheless, the COVID-19 pandemic has enabled and supported the attacks as they target the health care industry too. The trojan is primarily used as the point of entry by the operators working behind the ProLock ransomware gang. According to the report, victims are easy targets since the phishing structures established by the hackers are sophisticated.
Attack Strategies Used By The Qakbot Trojan
By description, Qakbot is a banking trojan that has been active for more than 10 years, according to Kroll. It mainly relies on the use of keyloggers, brute force attacks, authentication cookie grabbers, and windows account credential theft, among many other methods.
Laurie Iacono was one of the authors of the research. Laurie is the vice president of Kroll’s cyber risk team. She explained various reasons why cybercriminals are relying on trojans like Qakbot to launch ransomware attacks:
“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system; find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data); and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials;—plus the stolen data helps force infected companies to pay the ransom.”
Cole Manaster, the research’s co-author and vice president of Kroll’s cyber risk department, told reporters that the rise of thread hijacking attacks like the one deployed by Qakbot shows a significant evolution. He added:
“Criminals are aware of the increasing cybersecurity training across email users and are producing more sophisticated, and authentic-looking phishing lures.”
COVID-19 Crisis Increasing Cybercrime Threats
On the flip side, Iacono said that the use of trojans by ransomware gangs is common and gives an example of the Ryuk attacks. These attacks are preceded by the installation of the Emotet trojan. Another example is the DoppelPaymer attacks that come before Trickbot injections.
She said that with more workers at home as a result of the coronavirus health crisis, they see:
“an uptick in attacks exploiting vulnerabilities in remote work applications such as the Citrix exploit.”
On May 17, reports emerged that the gang ProLock is mainly relying on the Qakbot banking trojan. It is using the trojan to launch attacks and asks the targets for six-figure USD ransoms paid in Bitcoin (BTC) to decrypt the files.