Qbot, a Windows-based banking trojan malware that has been active since 2008, makes a strong return with new features. Qbot, also known as Qakbot and Pinkslipbot, targets banks and financial institutions mainly. Qbot operators generally attack their victims through phishing campaigns and inject the malware using a dropper. Their main motive is to collect details about browsing activity, steal bank account credentials and other financial information.
Previously, Qbot used a self-replicating worm to copy itself over shared and removable media. After the latest updates Qbot malware has added both detection and research-evasion techniques with features to hide the code from the scanner and other signature-based tools. In addition, to bypass forensic investigation it comes with built in anti-virtual machine techniques.
Infection and Propagation Vector
- Qbot malware is loaded into the running explorer.exe memory from an executable file that is distributed via phishing emails or an open file share.
- The malware then installs itself onto the application folder’s default location, as defined in the %APPDATA% registry key.
- Qbot creates a copy of itself in the specific registry key.
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots
- Then, it drops a .dat file with a log of the system information and the botnet name.
- The malware executes its copy from the %APPDATA% folder and replaces the originally infected file with a legitimate one.
- Finally, Qbot creates an instance of explorer.exe and injects itself into it. Hackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.
- Steal users’ keystrokes,
- Deploy backdoors,
- Spread malware payloads on compromised devices.
Indicators of Compromise
The key features of this malware can help Qbot:
- Capture keystrokes and gather details such as usernames, passwords, financial details like credit card information.
- These details can be used for social engineering tactics to further the criminals’ agenda.
- Create a backdoor which helps to access the user’s device.
- Use updated antivirus software to detect and stop malware infections.
- Apply critical patches to the system and application.
- Inspect encrypted traffic; most malware and phishing sites are pushed within encrypted SSL/TLS sessions.
- User Awareness makes it easy for them to report suspicious behavior.
- Back-up data regularly