QBot -also referred to as QakBot- is a polymorphic Trojan that has been designed to steal financial information from the computer devices it infects. A Trojan malware is one which has capabilities to replicate itself, but QBot is exceptional in the sense that this Trojan can undergo sophisticated modification to provide attackers with enhanced capabilities and can then be spread through either networks or removable storage devices.
The research activity carried out by Varonis recently exposed a global QBot Cyber Campaign. It was found that the C2 Server actively compromised thousands of victims around the globe. The primary targets of these attacks were US Corporations. However, it has also hit networks around the world with victims from Asia, South America, and Europe. The goal of these cyber-attacks was to steal financial information from the victim including bank account details. In the report, it is mentioned that threat actors used a new variant of QBot.
How The New Variant Of QBot Works:
In a typical attack by this new variant of QBot which exploits the vulnerabilities in targeted system stealthily. The victim receives an email containing a link to OneDrive that then delivers a file with .doc or .vbs extension upon accidentally or intentionally clicking upon it.
QBot steals information, downloads harmful files and opens up a backdoor on the compromised machine. Although it has been around for years now, this particular Trojan has recently resurfaced again in a new version which has enhanced capabilities and a new phishing based method that can bypass anti-malware software such as anti-viruses, spam filters etc.
VBS files (Visual Basic script files) are classified as source code and program files for Windows PCs. The email received is quite malignant and appears to be an existing email thread. This is a social engineering tactic intended to lure the victims so that they open the file attached to the email. Once executed, the file extracts the OS version of the victim and then starts downloading the QBot loader using Windows BITSAdmin ( a tool that can create download or upload jobs and monitor their progress). Previous variants of QBot were different in that they were found to be using Windows PowerShell.
According to Varonis, the loader has multiple versions that keep getting updated even after execution. A “valid digital certificate” is included in it and help ensure that the file is trustworthy and induces fewer warnings in Windows.
Veronis found out that each version of the loader is signed with a different digital certificate. Once installed, the malware starts creating scheduled tasks and adds entries to the Windows system registry. The malware launches a process into explorer.exe and then overwrites the original executable with a 32-bit calc.exe version. Here is a list of the techniques used by QBot to steal information:
- Keylogging
- Hooking
- Credentials/cookies etc.
The goal of the malware is to steal sensitive and confidential information, and cyber-criminals can draw off money from the user’s account once it is compromised in further attack escalation stages.
A Brief History: The Presence of QBot & Impact
Let us now have a quick look at the history of QBot. QBot (also known as QakBot) is a banking Trojan that was first identified in 2009. The QBot malware is known for its ability to evade detection. It is challenging to spot the malware and even harder to eliminate it.
Cybercriminals have found its design convenient, like the ever-present AK-47 of the cyber world, and have continued to engineer and modify the malware, making it harder for security researchers & security services to detect it. The malware has previously targeted several governments and corporations around the world for stealing user information and banking credentials.
QBot has reappeared many times since 2009. For example- it infected almost 500,000 PCs in 2014 to steal their financial data. In 2016, a new variant of the malware infected more than 50,000 systems from different organizations around the world. It has also recently managed to infect cybersecurity vendors with its attacks.
How To Keep Your PC Safe From QBot?
If you are worried about getting infected by the QBot Malware, then you can use these helpful tips below to keep yourself and your devices safe. To avoid getting infected by QBot malware, we recommend users to:
- Keep your Operating system updated and avoid using Windows OS versions that have stopped getting support from Microsoft such as Windows XP.
- Always keep your Operating System up-to-date, and regularly update your third-party software.
- Disable Java from your system if you do not use it quite often.
- Never click on any URL in a suspicious email received in your inbox else use advanced threat defense from phishprotection.com for email protection.
- Do not download or open any suspected attachments from email or from anywhere on the web
References:
- “Varonis Exposes Global Cyber Campaign”
https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-QBot/
- “QBot Malware resurfaces in new attack against businesses”
(Lucian Constantin- Mar 1, 2019)