Serviciul Roman de Informatii


Cyber Awareness: Banking Trojan infects Internet Banking Solutions via Browsers
April 28, 2020

A cyber attack campaign launched by a cybercrime group using the Qbot banking Trojan (QakBot, Plinkslipbot, QakBot) was identified in April this year. In all its different versions, the Trojan mainly targeted the customers of some financial and banking institutions in the US, Romania, Canada and Greece. To a lower extent, Qbot also targeted the customers of some technologic, commercial and IT&C organizations.

In Romania, the campaign targeted the clients of some platforms using internet banking services via browsers (Chrome, FireFox, Microsoft Edge) instead of dedicated applications.

Using spear-phishing, Qbot is programmed to harvest the access credentials of platforms specific for financial and banking companies and for e-mail services and financial data.

Those messages may contain either a link or an attachment. The attachment is a zip-type file that contains a MS Word document running a macro which enables the Trojan be downloaded and thus the device gets infected. Once installed, Qbot searches for the anti-virus program; it makes sure it has properly copied itself in the system and uses valid security certificates to avoid detection. Later on, the Trojan harvests the access credentials and financial data from the infected device. Also, Qbot is able to infect other devices using the same network as the already compromised device.

In order to minimize the risks of Qbot banking Trojan infection, we recommend you to:

  • Use antivirus solutions and make sure we are constantly updating their signatures;
  • Avoid opening archive-type attachments, if their origin is uncertain and no antivirus detection solutions were used to check them;
  • Avoid opening attachments or links sent together with suspicious emails;
  • Update the operating system and avoid using operating systems no longer supported by their producer;
  • Notify your bank in case you notice any banking transaction that you did not make;
  • Deactivate the automatic run of some MS Office routines (macros);
  • Avoid running macros manually.