This phishing attack hijacks email chains to power up an ancient botnet

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)

A new email phishing campaign has been spotted looking to compromise additional endpoints for the Qakbot botnet. 

Qakbot has been around for almost 15 years, haivng reinvented itself on multiple occasions throughout its life, and is now hijacking people’s email threads to distribute the payload to more devices.

Cybersecurity researchers from Sophos discovered once Qakbot infects a device, it delivers a payload that scans it for email accounts and its login credentials. If it is successful, it will go through the inbox and send out replies to every available email threat (as opposed to just sending out a new email to all contacts). The reply will carry a quote of the original message, as well as a malicious payload in the attachment.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Multi-stage attacks

By replying to an ongoing thread, instead of sending out a new email, the threat actor hopes to lower the guard of the victim. People may be vigilant when receiving shady emails out of the blue, but when they get a reply, from a known contact, in an ongoing thread, they might be more inclined to examine the contents of the attachment.

Besides English, the lure can be sent out in multiple other languages, Sophos warns, depending on the language of the original email thread.

Quakbot’s real danger, however, lies in the fact that it can serve as the stage-one malware in a multi-stage attack. It can deliver other, more sinister payloads, such as ransomware. 

"Qakbot is a full-service botnet that performs data theft and malware delivery services on behalf of either themselves or third parties. They clearly take advantage of credential theft to access the websites belonging to innocent third parties to use for hosting payloads," Andrew Brandt, principal researcher at Sophos Labs told ZDNet

As usual, users are advised to be extra cautious when receiving emails with attachments, regardless of who the sender is.

Via: ZDNet

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)