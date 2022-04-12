Qbot operators have returned to the fray and this time on Windows installers with malware. Its goal is to infect systems by installing malware payloads in emails. The tactic that Qbot uses now to infect our computers is different from the one that he has used in different events in the last years.

As cybersecurity researchers have discovered, and as reported to Bleeping Computer, the malware arrives via phishing emails that download Microsoft Office documents with malicious files on the devices where it is installed.

The Redmond firm had said in February that it would make it more difficult to activate Microsoft Office VBA or Visual Basic for Applications macros. This protection tool was launched this month and therefore researchers believe the new Qbot is an answer to this change.

In February we already published how the company announced new measures to hinder the spread of malware such as disabling Visual Basic for Applications (VBA) macros by default in documents downloaded from the web, a move that affects all of its products, including Word, Excel, PowerPoint, Access, and Visio.

Microsoft’s efforts against malware





In late 2021, Microsoft claimed to have discovered many “malicious macros” in Office documents (belonging to Excel 4.0 macros), which were targeted by attackers. To evade security detection systems, threat actors make use of Excel 4.0 macros. However, to run them properly, you will need to manually enable them, as Microsoft disabled them by default.

Thanks to this, widespread phishing schemes have been affecting Office applications. The tactic is also intended to prevent cybercriminals from are invaded by various malware such as TrickBot, Emotet and Qbotto name a few.

Tips to protect yourself

Taking into account that the new version of Qbot arrives in the form of phishing, you must carry out the basic recommendations to avoid phishing infections. Taking into account Microsoft’s efforts to prevent this malware, you should keep the latest version of Windows up to date, whether it is Windows 10 that is still supported, or Windows 11.

Also avoid downloading files without really knowing their origin or confirming with the sender that they have really sent you that document or link. The Internet Security Office has an online game so that users can identify a phishing-type attack so as not to fall into traps.

Qbot was first known in 2007





Qbot is a well-known malware that attacked Windows in 2007 for the first known time. When it infiltrates the system, it can gain access to the user’s financial information, as well as to some confidential details such as password and email address.

A large number of dangerous cybercriminal groups have already used it, including REvil, MegaCortex, PwndLocker, ProLock and more ransomware gangs.

In November 2021 we talked about attacks that take advantage of phishing campaigns that manage to hijack responses to internal email chains, are being used to hack Microsoft Exchange servers via the ProxyShell and ProxyLogon exploits. Campaigns of this type have been detected by installing Trojans such as Qbot or even the famous Emotet.