The decade-old Qbot financial malware has resurfaced with an improved version in a new attack against businesses that has infected thousands of systems so far. Researchers from data security solutions provider Varonis have uncovered the attack after a customer alerted them about suspicious activity on a computer. The culprit turned out to be an infection with a new strain of Qbot, also known as Qakbot, that was trying to spread to other systems on the network.
Qbot is one of the most successful malware families of the past decade, in part because its source code is available to cybercriminals, so it can be easily modified and extended. The malicious program started out as a Trojan designed to steal online banking credentials, but has received many improvements over the years.
Qbot interestingly is a semi-polymorphic threat because its command-and-control servers re-scramble the code and configuration periodically to evade signature-based antivirus detection. The threat also has worm-like capabilities that allow it to move laterally through corporate networks by brute-forcing Windows domain credentials.
How the new Qbot attack works
In the attack investigated by Varonis, the initial installer or "dropper" was likely delivered as an email attachment with the extension .doc.vbs. VBS is a scripting language that's natively supported on Windows.
If executed, the malicious script downloads the Qbot loader from a command-and-control server using the Windows BITSAdmin command-line tool. Previous Qbot versions used PowerShell for this purpose, but since PowerShell has become a common malware delivery method, its use is closely monitored on enterprise systems. "The loader, which executes the core malware, has multiple versions and is constantly updating even after execution," the Varonis researchers said in their report.
The version received by the victim depends on a parameter hard-coded in the VBS file, so there are possibly different email campaigns targeting different types of users and organizations. Furthermore, Varonis has found loaders that were digitally signed with eight different code-signing certificates that were likely stolen from various entities.
If a file is digitally signed, it does not mean that it's not malicious, just like if a website uses HTTPS, it does not mean that it's not hosting malware or phishing pages. However, digitally signed files trigger less scary warnings in Windows and are sometimes trusted automatically by poorly configured endpoint security agents or file whitelisting solutions.
Once installed, Qbot creates scheduled tasks and adds entries to the system registry to achieve persistence. The malware then starts recording all keystrokes typed by users, steals credentials and authentication cookies saved inside browsers, and injects malicious code into other processes to search for and steal financial-related text strings.
Varonis gained access to one of the command-and-control servers used by the attackers and found logs showing 2,726 unique victim IP addresses. More than 1,700 were located in the U.S., but victims were also found in Canada, the U.K., Germany, France, Brazil, South Africa, India, China and Russia.
Since computers inside an organization typically access the internet through a shared IP address, the researchers believe the number of individually infected systems to be much larger. Also, logs showed that many of the compromised systems had antivirus programs from various vendors installed, highlighting once again Qbot's ability of evading antivirus detection.