Qbot Malware Morphs Quickly to Evade Detection

Researchers spot new wave of Qbot infections that can shape-shift every six hours to evade detection.

The Qbot malware is back and hard at work again with infections reported on 54,517 machines, according to researchers at BAE Systems—with 85 percent of those impacted systems residing in the United States.

Qbot’s latest incarnation has learned new tricks since its early days in 2009, and is riling security professionals with its ability to evade detection. So far, BAE Systems reports, the criminals behind this latest Qbot wave have repurposed the original Qbot source code and tweaked it in such a way that the most recent version can slip through most security systems.

Qbot, said Adrian Nish, head of cyber threat intelligence at BAE Systems, is masterful in the way it is able regenerate itself on an infected host every 24 hours. “The authors behind Qbot are re-scrambling the code everyday along with repacking it. One day an antivirus scan may be able to spot it, the next day it won’t,” Nish said in an interview with Threatpost.

Nish said Qbot steals data and harvests credentials, and its means of infection are via the Rig Exploit Kit, he said. Typical targets are mostly U.S.-based academic institutions. Although, Nish said, hospitals have also been targeted. He said, in those cases Qbot may be branching out and delivering ransomware as well.

BAE Systems’ documentation of Qbot (PDF) used as vehicle to distribute ransomware jives with research published earlier this week by Cisco Talos. It also found old malware with new legs by criminals who add worm-like capabilities and use infections to spread ransomware.

However, while Qbot exhibits some worm-like capabilities, such as the ability to traverse a network and self-replicate, it is not autonomous. Qbot’s polymorphic code is updated via a command and control servers. At intervals as little as six hours apart, BAE Systems reports, the Qbot code is freshly compiled and often with additional content added, making it appear as if it were a completely different piece of software.

Since 2009, when Qbot launched its first assault on computer networks, the malware has never completely vanished. Since then there have been sporadic reports of Qbot infections and variants causing limited infections. What alarms researchers at BAE Systems, is the fast rate of infections in the past month coupled with the malware’s ability to shape-shift on the fly.

That shape-shifting takes place on two levels, Nish said. On one level, the binary code of Qbot is modified without affecting functionality. “This level of polymorphism is carried out by the ‘gateway’ PHP script that runs on the C&C. Each time a new sample is retrieved, the C&C script will patch two large blobs within the binary template with randomly generated data to produce a new copy that will always have a different hash,” BAE wrote.

The second level of polymorphic obfuscation is the authors’ re-compiling and re-encrypting Qbot so that it is entirely different in structure. “At this level, the sample increases its internal version number and it may also get a different configuration file (if the attackers so wish), which would contain different C&C and FTP exfiltration URLs,” BAE wrote.

BAE Systems said rates of U.S. infection are disproportionately high compared to other geographic regions primarily because attackers first were able to compromise U.S.-based websites. It found the Rig exploit kit on a half-dozen domains registered to domain registrant GoDaddy. “We believe that the actors gained access to a set of compromised GoDaddy credentials, using these to access accounts and create subdomains which point to different name servers. Many of the domains are associated with the same GoDaddy domain,” wrote the BAE authors of the report.

Those domains, according to BAE Systems, host the Rig exploit kit. When a user visits one of the compromised domains using an Internet Explorer web browser, for example, the malware is then injected into the running process “explorer.exe” and attempts a heap-allocated buffer overflow attack.

Suggested articles