Qbot Malware Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Qbot Windows banking trojan, dubbed QakBot/Pinkslipbot, targeting banks and financial institutions.
Updated on
April 19, 2023
Published on
October 15, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Qbot, a Windows-based banking trojan malware that has been active since 2008, makes a strong return with new features. Qbot, also known as Qakbot and Pinkslipbot, targets banks and financial institutions mainly. Qbot operators generally attack their victims through phishing campaigns and inject the malware using a dropper. Their main motive is to collect details about browsing activity, steal bank account credentials and other financial information.  Previously, Qbot used a self-replicating worm to copy itself over shared and removable media. After the latest updates Qbot malware has added both detection and research-evasion techniques with features to hide the code from the scanner and other signature-based tools. In addition, to bypass forensic investigation it comes with built in anti-virtual machine techniques.[/vc_wp_text][vc_wp_text]

Infection and Propagation Vector

  1. Qbot malware is loaded into the running explorer.exe memory from an executable file that is distributed via phishing emails or an open file share.
  2. The malware then installs itself onto the application folder’s default location, as defined in the %APPDATA% registry key.
  3. Qbot creates a copy of itself in the specific registry key.
  4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots
  5. Then, it drops a .dat file with a log of the system information and the botnet name.
  6. The malware executes its copy from the %APPDATA% folder and replaces the originally infected file with a legitimate one.
  7. Finally, Qbot creates an instance of explorer.exe and injects itself into it. Hackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.
[/vc_wp_text][vc_wp_text]

Key features

  1. Steal users’ keystrokes, 
  2. Deploy backdoors,
  3. Spread malware payloads on compromised devices.
[/vc_wp_text][vc_wp_text]

Indicators of Compromise

  1. 432B6D767539FD5065593B160128AA7DCE271799AD2088A82A16542E37AD92B0
  2. D3B38681DBC87049022A3F33C9888D53713E144A277A7B825CF8D9628B9CA898
  3. 9001DF2C853B4BA118433DD83C17617E7AA368B1 
  4. 449F2B10320115E98B182204A4376DDC669E1369 
  5. F85A63CB462B8FD60DA35807C63CD13226907901 
  6. B4BC69FF502AECB4BBC2FB9A3DFC0CA8CF99BA9E 
  7. 1AAA14A50C3C3F65269265C30D8AA05AD8695B1B 
  8. 577522512506487C63A372BBDA77BE966C23CBD1 
  9. 75107AEE398EED78532652B462B77AE6FB576198 
  10. 674685F3EC24C72458EDC11CF4F135E445B4185B 
  11. BECD8F2D6289B51981F07D5FF52916104D764DD5 
  12. 18E8971B2DE8EA3F8BB7E1462E414DA936425D4E 
  13. 4C96D2BCE0E12F8591999D4E00498BCDB8A116DE 
  14. 571cdef12082946e34b77bd50fcb0d38
  15. 06ec0af8411d864211baff8afb117f72
  16. 2d2fa093dd4fb26a8d14f1906552d238
  17. 842d7815923dffc1e1cf2ebbcd0fdf49
  18. 2e4c99684fc0046934b984268b16c25b
  19. hxxp://w1.plenimusic[.]com/fakes/
  20. hxxp://pickap[.]io/wp-content/uploads/2020/04/evolving/888888.png
  21. hxxp://decons[.]vn/wp-content/uploads/2020/04/evolving/888888.png
  22. hxxp://econspiracy[.]se/evolving/888888.png
  23. hxxp://enlightened-education[.]com/wp-content/uploads/2020/04/evolving/888888.png
  24. hxxp://kslanrung[.]com/evolving/888888.png   
  25. hxxps://82.118.22[.]125/bgate
[/vc_wp_text][vc_wp_text]

Impact

The key features of this malware can help Qbot:
  1. Capture keystrokes and gather details such as usernames, passwords, financial details like credit card information.
  2. These details can be used for social engineering tactics to further the criminals’ agenda.
  3. Create a backdoor which helps to access the user’s device.
[/vc_wp_text][vc_wp_text]

Mitigations

  1. Use updated antivirus software to detect and stop malware infections. 
  2. Apply critical patches to the system and application.
  3. Inspect encrypted traffic; most malware and phishing sites are pushed within encrypted SSL/TLS sessions.
  4. User Awareness makes it easy for them to report suspicious behavior.
  5. Back-up data regularly  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations