Presently, QBot is being disseminated via reply-chain phishing emails, whereby threat actors employ stolen email exchanges and subsequently respond to them with links to malware or malicious attachments.
The adoption of reply-chain emails is an effort to minimize the suspicion prompted by a phishing email since it appears to be a reply to an ongoing conversation.
These phishing emails are composed in multiple languages, indicating that this is a malware distribution campaign with a global reach.
The phishing emails contain a PDF attachment with the name ‘CancelationLetter-[number].pdf,’ which prompts the recipient to click on the “open” button to display protected files when the document is opened.
But instead of displaying files, a ZIP file containing a Windows Script (wsf) file is downloaded when the button is clicked.
A file with a .wsf extension is a Windows Script File that executes a combination of VBScript and JScript code when double-clicked.
In the QBot malware distribution campaign, a heavily obfuscated WSF file is used to execute a PowerShell script on the targeted device.