skip to Main Content

Cybercrime, QuakBot’s new signed campaign leverages FedEx

Technical analysis by the Malware Hunter JAMESWT

FedEx is the latest cybercrime lure in the global “signed” campaign. The zip attachment of the email contains an xls. If opened, contact a url and download the dll, disguised as an image, which starts the malware infection

Quakbot’s new “signed” campaign uses FedEx as bait. It has been detected by the cybersecurity researcher TheAnalyst. The company certificates were used to sign the Excel attachment. Objective: To trick the antivirus and allow victims to download and install the malware via attachment. This, in fact, contains a compressed document in zip format with an xls file inside which, if opened, contacts a url to download the dll, disguised as an image, from which the malware infection starts. QuakBot (aka Qbot) is a modular cybercrime banking Trojan known for targeting companies. Goal: to steal money from their online bank accounts. It features worm functionality for automatic replication via shared drives and removable media. The code uses powerful info-stealer features to spy on users’ banking activity.

The fake FedEx email

The xls document

Url contacted to download the fake image which will then be automatically renamed in DLL and executed

Back To Top