QBot using new attack vector in its latest phishing emails

Presently, QBot is being disseminated via reply-chain phishing emails, whereby threat actors employ stolen email exchanges and subsequently respond to them with links to malware or malicious attachments. The adoption of reply-chain emails is an effort to minimize the suspicion prompted by a phishing email since it appears to be a reply to an ongoing conversation. These phishing emails are composed in multiple languages, indicating that this is a malware distribution campaign with a global reach. The phishing emails contain a PDF attachment with the name ‘CancelationLetter-[number].pdf,’ which prompts the recipient to click on the “open” button to display protected files when the document is opened. But instead of displaying files, a ZIP file containing a Windows Script (wsf) file is downloaded when the button is clicked. A file with a .wsf extension is a Windows Script File that executes a combination of VBScript and JScript code when double-clicked. In the QBot malware distribution campaign, a heavily obfuscated WSF file is used to execute a PowerShell script on the targeted device.