The Qbot botnet is using a new template for the distribution of their malware that uses a fake Windows Defender Antivirus theme to trick you into enabling Excel macros. Otherwise known as QakBot or QuakBot, Qbot is a Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.
Attached to these spam emails are malicious Excel (.xls) attachments. When opened, these attachments will prompt a user to ‘Enable Content’ so that malicious macros will run to install the Qbot malware on a victim’s computer. To decrypt the document, users need to click on ‘Enable Editing’ or ‘Enable Content’ to decrypt it using the ‘Microsoft Office Decryption Core.’
Once enable content is clicked, malicious macros will be executed that download and install the Emotet malware on a victim’s computer. When infected, Qbot performs various malicious activities that allow threat actors to gain access to your bank accounts and your network. Earlier, Qbot has been bundled together with Emotet in many infection campaigns. Last week, it has also been found distributed as a second stage payload in an Emotet infection campaign.