New techniques using long-term botnet Qakbot can hijack email threads mid-stream

Infamous malware Qakbot has historically undergone myriad transformations since it first gained notoriety in 2008. The latest of these sees it sneaking its way into the middle of your email conversations, hijacking a thread with a spurious message that can appear all the more genuine than conventional phishing emails.

Computer screen showing lines of code
Qakbot's newly implemented coding hijacks your emails mid-conversation.

How it works

Comprehensively tested and reported by Sophos Labs, it seems that the software identifies an active email conversation and sends a reply-all message containing a short sentence and a URL or, perhaps less suspiciously, a link to download a zip file. That zip file can contain a malicious Office document, most commonly an Excel spreadsheet, which can implement any number of invasive behaviors onto a breached machine. It's this aspect of the nature of the trojan botnet that can be so damaging for victims; once opened and actively exploring a machine, Qakbot can unload almost anything the perpetrator has chosen to load it with. This could include other forms of malware, ransomware or destructive viruses, as well as protocols and coding to make subsequent, more serious attacks possible.

What makes this different?

The sophistication of this latest threat is evident from the package's ability to detect the language of the hijacked email conversation and adapt the interjecting malicious message it sends accordingly. Combine this with Qakbot's ability to skillfully replicate the original email conversation in a convincing manner, and it's no wonder that a recipient is all the more likely to hit Enable Content when opening the tainted document.

As Sophos researchers Andrew Brandt and Steeve Gaudreault put it in their report, "[b]ecause the malware is so good at doing this – quoting the original message after its malicious reply – it can be challenging for the targets of these attacks to recognize that the messages they receive didn't come from the human being who owns the email box where they originated."

An unassuming threat

An additional concern regarding Qakbot is how it can effectively spread from one infected Windows computer to many others so fluidly through its automated procedures, as demonstrated by a Kaspersky technical analysis. Once the malware is installed on and has compromised the machine of an unwitting victim, Qakbot implements a payload to scavenge email accounts, usernames and passwords to access any available accounts.

The key point here, though, is that victims can be so unaware of what's going on. Due to the nature of the malware's initial delivery method — a combination of the email source and the seemingly bland attached document — recipients could be lured into a false sense of security and let their guard down just enough to allow that lapse in judgment.

Defending against Qakbot

How, then, should an organization protect itself against this latest iteration of the malware?

Developing a strong understanding of the initial ways in which Qakbot invades a system will allow you to reinforce securities and detection protocols. This can be somewhat challenging due to the "building block" style of the malware, as explained by Microsoft's Threat Intelligence Team. The continued "rewriting" of Qakbot by its authors means that the malicious code is regularly changing and this makes it quite proficient at avoiding detection once implemented. Its modular nature allows for actors to construct and deploy the payload as they wish to achieve their desired goal, which means that the identification and analysis of one permutation cannot rule out the existence of — or a vulnerability to — other versions of the malware. There will of course always be some elements of consistency required, though, and these typically come in the form of the initial delivery method: Email. This is where a defense is most likely to succeed.

As with any potential digital threat, the first step is always awareness. Making staff aware of the resurgence of this particular danger and the nature in which it operates will always be a wise action. Infection prevention is by far the most effective means of protecting your systems, though not always the most reliable due to the human element. Especially because of the tactics being exploited by this version of Qakbot, it would be beneficial to utilize some of the visual examples in reports and analyses to give users a good understanding of what to be on the lookout for.

Within the email received by a target, there are three likely forms of malicious content that will instigate the attack: Links, attachments or embedded images (though these are less commonly seen in conjunction with email conversation hijacking). Any of them can and are still used, however, so making users aware of all possibilities is going to be the best way to keep your systems free from malware contamination.

Vigilance is paramount in preventing a Qakbot inception. The best advice for users is to remain wary of messages containing these types of materials, even if they're from known and trusted sources. If in doubt at all, flagging the message with in-house technical specialists and contacting the sender via alternative means to verify its authenticity are going to be the best courses of action.

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows deployment of reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, the Inventu Viewer+ web terminal emulation meets employer and staff expectations in a way that feels both familiar and simple. Contact us today and see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.