Skip to content

Hackers are increasingly relying on Trojans to implement ransomware attacks

June 10, 2020

A study by the provider of risk solutions Kroll has noticed a growing trend in the use of the Qakbot Trojan (Qbot) to launch hijacking campaigns in email threads to deliver ransomware attacks.

According to the results in collaboration with analysts from the National Alliance of Cyber-Forensics and Training Cybercriminals are trying to steal financial data from various industries such as media, education and science. However, the COVID-19 pandemic has also contributed to attacks on the health sector.

The Trojan is reportedly used by the ProLock ransomware gang as an “entry point”. The report suggests that victims are easy targets due to the sophisticated phishing structures set up by criminals.

Attack methods used by the Qakbot Trojan

Hackers are increasingly relying on Trojans to implement ransomware attacksHackers are increasingly relying on Trojans to implement ransomware attacks

Qakbot is a banking Trojan that has been active for more than a decade, says Kroll. Among other things, he relies on the use of keyloggers, authentication cookie grabbers, brute force attacks and the theft of Windows account credentials.

One of the authors of the investigation, Laurie Iacono, vice president of the Kroll cyber risk team, explained to Cointelegraph the following reasons why cybercriminals depend on Trojans like Qakbot to launch ransomware attacks:

“The main reason is to maximize your profits. In the past 18 months, K.roll has observed several cases where a Trojan infection is the first step in a multi-phase attack: hackers infect a system, find a way to escalate permissions, perform confirmations, steal credentials (and sometimes confidential data), and then close them launch a ransomware attack from an access level where it can do the most damage. You can make money from the ransom and possibly from selling stolen data and credentials, and the stolen data helps infected companies pay the ransom. “

Cole Manaster, co-author and vice president of Kroll’s cyber risk department, told Cointelegraph that the increase in thread hijacking attacks used by Qakbot is showing a development. He added the following:

“Criminals are aware of the increasing cyber security training among email users and are producing more sophisticated and authentic looking phishing baits.”

The COVID-19 crisis increases the level of cybercrime threats

On the other hand, Iacono said the use of Trojans by ransomware gangs is not uncommon and is an example of the Ryuk attacks that preceded the installation of the Emotet Trojan and the DoppelPaymer attacks that were preceded by trickbot injections..

He warned that because of the COVID 19 crisis, more homeworkers “see an increase in attacks that exploit vulnerabilities in remote work applications such as the Citrix exploit”.

Cointelegraph reported on May 17 that the ProLock gang relies on banking Trojan Qakbot to launch the attack, demanding six-digit ransom payments in Bitcoin (BTC) to decrypt the files.