The message rar attachment contains an executable file: the malware itself. Stolen data is exfiltrated with smtp.
Technical analysis by the Malware Hunter JAMESWT
FedEx is the latest cybercrime lure in the global “signed” campaign. The zip attachment of the email contains an xls. If opened, contact a url and download the dll, disguised as an image, which starts the malware infection
Quakbot’s new “signed” campaign uses FedEx as bait. It has been detected by the cybersecurity researcher TheAnalyst. The company certificates were used to sign the Excel attachment. Objective: To trick the antivirus and allow victims to download and install the malware via attachment. This, in fact, contains a compressed document in zip format with an xls file inside which, if opened, contacts a url to download the dll, disguised as an image, from which the malware infection starts. QuakBot (aka Qbot) is a modular cybercrime banking Trojan known for targeting companies. Goal: to steal money from their online bank accounts. It features worm functionality for automatic replication via shared drives and removable media. The code uses powerful info-stealer features to spy on users’ banking activity.