Qbot, an ever-evolving information-stealing trojan that’s been around since 2008, has reappeared after a hiatus to target customers of U.S. financial institutions. Its latest variant features fresh capabilities to help it remain undetected.
Qbot (a.k.a. Qakbot or Pinkslipbot) harvests browsing data and financial info, including online banking details. Some of its tricks include keylogging, credential theft, cookie exfiltration and process hooking. Qbot has previously evolved to add a “context-aware” delivery technique; and in another case added a six-hour evolution cycle to evade detection.
Researchers at F5 have uncovered recent activity using a new variant that also strives hard to avoid analysis. The first samples of the new strain first emerged in January in Virus Total, they told Threatpost.
“Qbot is still Windows-based, but this latest version adds both detection- and research-evasion techniques,” according to the latest F5 analysis. “It has a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also includes anti-virtual machine techniques, which helps it resist forensic examination.”
In the latest campaign, attackers are infecting computers via phishing, web exploits that inject Qbot via a dropper, or via malicious file shares. According to F5, once the victim is compromised, Qbot bides its time until a victim opens a web page that it’s interested in – specifically, online banking portals for Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank, TD Bank, Wells Fargo and others.
“This appears to be a dedicated campaign with a browser hijack, or redirection, as the main attack method when the machine is infected,” researchers explained. “As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials.”
In all, this wave of infections is specifically targeting 36 U.S. financial institutions and two banks in Canada and the Netherlands, according to the firm. The researchers told Threatpost that the scope of the activity in terms of numbers of victims is not known.
Interestingly, Qbot targets pages with regular-expression search strings that query “logout/exit/quit” requests, F5 researchers told Threatpost: “This is unique, and allows an attacker to trigger the attack after the user requested to log out of the legitimate activity.”
Qbot’s target list also includes generic URLs that might be used in a second stage in an attack – say, for surfacing a message to victims in order to redirect them elsewhere once the banking activity is concluded.
“Since the generic URL’s are regular expression they can be used in different ways, for example https://*/cmserver/logout.cfm* ,” researchers told Threatpost. “It will not limit the attack but would rather extend that to any site requesting it, since it is a ‘logout.’ It could be in second stage of the attack when the user wants to log out and suddenly an additional message appears.”
Unpacking Routine
Once a victim has been initially compromised, the Qbot executable loads itself into the running explorer.exe memory. It then copies itself into the application folder’s default location, as defined in the %APPDATA% registry key, and creates a copy of itself in the specific registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots in order to achieve persistence.
In the next step, according to the F5 analysis, Qbot drops a .dat file with a log of the system information and the botnet name, then executes its copy from the %APPDATA% folder. After that, to cover its tracks, it replaces the originally infected file with a legitimate one.
“Lastly, Qbot creates an instance of explorer.exe and injects itself into it,” F5 researchers said. “The attackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.”
The latest version of Qbot shows that long-time malware can still be dangerous, researchers said.
“It’s not surprising that malware from over 10 years ago is still active and recoded for new attacks,” James McQuiggan, security awareness advocate at KnowBe4, said via email. “Cybercriminals have seen it work successfully in the past and update the code and concepts by injecting it into known processes, which are accepted by anti-malware applications.”
He added that as always, user awareness can go a long way to thwarting attacks like this.
“Employees in the organization should be aware that visiting unfamiliar or unknown websites can deliver side-channel attacks and bypass the security of their system,” McQuiggan said. “They should be mindful of how to alert their security teams in the event of strange behaviors, especially social engineering scams, like phishing.”
Are you on top of the shifting insider threats within your business? On June 24 at 2 p.m. ET, join Threatpost and our panel of experts for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get exclusive insights on how remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. Please register here for this Threatpost webinar.