Malware come and go. In the course of time. some gets upgraded to be more potent and deadly.
Qbot trojan is a 12-year-old malware and is still considered dangerous which now have advanced evasion techniques. This malware has been evolving ever since. It is basically an information-stealing trojan which has been around since 2008. They have taken a long break but now they are back to target U.S. financial institutions. The latest variant now has evasion capabilities.
Qbot (a.k.a. Qakbot or Pinkslipbot) harvests browsing data and financial info, including online banking details. It has keylogging features, credential theft, cookie exfiltration and process hooking. Qbot has previously evolved to add a “context-aware” delivery technique; and in another case added a six-hour evolution cycle to evade detection.
Security researchers at F5 have uncovered recent activity using a new variant of the said malware that also strives hard to avoid analysis. Samples have first emerged last Juanuary in Virus total.
Qbot trojan is Windows-based, however their latest version release adds both detection- and research-evasion techniques as per F5 analysis team. “It has a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also includes anti-virtual machine techniques, which helps it resist forensic examination.”
In the latest campaign, attackers are infecting computers via phishing, web exploits that inject Qbot via a dropper, or via malicious file shares. According to F5, once the victim is compromised, Qbot bides its time until a victim opens a web page that it’s interested in – specifically, online banking portals for Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank, TD Bank, Wells Fargo and others.
“This appears to be a dedicated campaign with a browser hijack, or redirection, as the main attack method when the machine is infected,” researchers explained. “As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials.”
A total of 36 U.S. financial institutions, two banks in Canada and Netherlands have been the target of the said attacks and it might be more.
Basically, Qbot targets pages with regular-expression search strings that query “logout/exit/quit” requests. “This is unique, and allows an attacker to trigger the attack after the user requested to log out of the legitimate activity.”
Qbot’s target list also includes generic URLs that might be used in a second stage in an attack – say, for surfacing a message to victims in order to redirect them elsewhere once the banking activity is concluded.
“Since the generic URL’s are regular expression they can be used in different ways, for example https://*/cmserver/logout.cfm* ,” it can be used in various ways and can be extended to any site requesting it which can lead to a second stage of an attack.
Once compromised, an executable file loads itself into the memory via running explorer.exe and in turn copies itself into the registry and the application folder directory %APPDATA%.. It also creates a copy of itself in the specific registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots in order to achieve persistence.
A .dat file with a log of the system information and the botnet name, executes its copy from the %APPDATA% folder. It then covers its tracks by replacing the originally infected file with a legitimate one.
Last but not the least, Qbot creates an separate instance of explorer.exe and injects itself which in turn, the attackers then use the always-running explorer.exe process to update Qbot from their external (C&C server) command-and-control server.
This proves that old malware can still be recycled to be potent and dangerous.
It is common practice to revive and revise code of old malware and viruses and add additional functions and features. Pretty much recycling code and merging functions to create a new attack vector. Cyber criminals are busy updating code and modifying attack vector concepts to circumvent detection.
User awareness and common sense (think before you click mentality) is still effective to avoid infection. Do not visiting unfamiliar or unknown websites because it can deliver side-channel attacks and bypass the security of any computer system. Computer users should be mindful in the event of strange occurrences, behaviors, especially social engineering scams, like phishing are encountered.
