Security sleuths at Zscaler have shared details about threat actors using novel methods in an attempt to sidestep detection, to circulate a potent password stealing malware called Qakbot. Cybersecurity researchers are alarmed by the attack but not surprised by attackers refining their techniques. “Cybercriminals are constantly updating their attacks to try to avoid detection and, ultimately, achieve their aims,” Jack Chapman, VP of Threat Intelligence at Egress, told Lifewire over email. “So even if we don’t know specifically what they’ll try next, we know there will always be a next time, and that attacks are constantly evolving.”

Friendly Neighborhood Hacker

In their post, Zscaler runs through the various obfuscating techniques the attackers employ to get victims to open their email. This includes using enticing file names with common formats, such as .ZIP, to trick victims into downloading the malicious attachments.  Obfuscating malware has been a popular tactic for many years now, Chapman shared, saying they’ve seen attacks hidden in numerous different file types, including PDFs and every Microsoft Office document type.  “Sophisticated cyberattacks are engineered to stand the best possible chance of reaching their targets,” said Chapman.  Interestingly, Zscaler notes the malicious attachments are inserted as replies in active email threads. Again Chapman isn’t surprised by the sophisticated social engineering at play in these attacks. “Once the attack has reached the target, the cybercriminal needs them to take action—in this case, to open the email attachment,” shared Chapman. Keegan Keplinger, Research and Reporting Lead at eSentire, which detected and blocked a dozen Qakbot campaign incidents in June alone, also pointed to the use of compromised email inboxes as a highlight of the attack.  “Qakbot’s approach bypasses human-trust checks, and users are more likely to download and execute the payload, thinking it’s from a trusted source,” Keplinger told Lifewire over email. Adrien Gendre, Chief Tech and Product Officer at Vade Secure, pointed out this technique was also used in 2021’s Emotet attacks. “Users are commonly trained to look for spoofed email addresses, but in a case such as this, inspecting the sender’s address would not be helpful because it is a legitimate, albeit compromised, address,” Gendre told Lifewire in an email discussion.

Curiosity Killed the Cat

Chapman says that in addition to taking advantage of the pre-existing relationship and trust built between the people involved, attackers’ use of common file types and extensions results in recipients being less suspicious and more likely to open these attachments.  Paul Baird, Chief Technical Security Officer UK at Qualys, notes that although technology should block these types of attacks, some will always slip through. He suggests that keeping people aware of current threats in a language they’ll understand is the only way to curb the spread. “Users should beware, and be trained, that even a trusted email address can be malicious if compromised,” agreed Gendre. “This is especially true when an email includes a link or an attachment.” Gendre suggests people should carefully read their emails to ensure that senders are who they claim to be. He points out that emails sent from compromised accounts are often short and to the point with very blunt requests, which is a good reason to flag the email as suspicious.  Adding to this, Baird points out the emails sent by Qakbot will normally be written differently when compared to the conversations you usually have with your contacts, which should serve as another warning sign. Before interacting with any attachments in a suspicious email, Baird suggests you connect with the contact using a separate channel to verify the authenticity of the message. “If you get any email [with] files [you’re] not expecting, then don’t look at them,” is Baird’s simple advice. “The phrase ‘Curiosity killed the cat’ applies to anything that you get through email.”