An ongoing Qbot campaign targeted customers of tens of US banks

Pierluigi Paganini June 18, 2020

Researchers uncovered an ongoing campaign delivering the Qbot malware to steal credentials from customers of dozens of US financial institutions.

Security researchers at F5 Labs have spotted ongoing attacks using Qbot malware payloads to steal credentials from customers of dozens of US financial institutions.

Qbot, aka Qakbot, is a data stealer worm with backdoor capabilities that was first detected by Symantec back in 2009.

The threat was used in recent attacks aimed at JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, and FirstMerit Bank.

The campaign targets 36 different U.S. financial institutions and two banks in Canada and the Netherlands.

“Analysis of the latest Qbot campaign shows that it is mainly focused on the United States (see Figure 1), targeting approximately 36 U.S. financial institutions and two banks in Canada and the Netherlands;” reads the report published by F5 Labs.

Number of banks targeted by Qbot by country
Number of banks targeted by Qbot by country (F5 Labs)

F5 Labs’ researchers reported that the Qbot variant used in the last attacks has implemented a number of new features, especially to evade detection.

“Previously, Qbot also used worm self-replication techniques to copy itself over shared drives and removable media. Qbot is still Windows-based, but this latest version adds both detection and research-evasion techniques.” continues the report. “It has a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also includes anti-virtual machine techniques, which helps it resist forensic examination.”

The malware is distributed through phishing attacks that attempt to trick victims into visiting websites that use exploits to inject Qbot via a dropper.

Below the typical Qbot infection chain:

  • Qbot is loaded into the running explorer.exe memory from an executable introduced via phishing, an exploit’s dropper, or an open file share.
  • Qbot copies itself into the application folder’s default location, as defined in the %APPDATA% registry key.
  • Qbot creates a copy of itself in the specific registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots.
  • Qbot drops a .dat file with a log of the system information and the botnet name.
  • Qbot executes its copy from the %APPDATA% folder and, to cover its tracks, replaces the originally infected file with a legitimate one.
  • Lastly, Qbot creates an instance of explorer.exeand injects itself into it. The attackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.

Qbot monitors the victim’s web traffic searching for specific strings (i.e. https://**logoff*, https://**,*) associated with financial services to capture credentials.

The bot also makes lateral movements via network share exploits to infect other systems on the same network and leverage brute-force attacks to target Active Directory admin accounts.

“Qbot has been around for a dozen years with pretty much the same functionality. The targets changed and features were added, but it’s still primarily about keylogging and, secondarily, about extracting a victim’s personal data.” concludes the report. “As Qbot waxes and wanes in popularity with attackers, it is hard to gauge its overall impact on a global scale.”

In April, security experts at BAE Systems announced that the Qbot malware was back, they discovered 54,517 infected machines most of them located in the United States (85%).

The experts discovered samples of Qbot that targeted US academic institutions and hospitals. It is interesting to note that the new Qbot variant has the ability to traverse a network and spread its replica, it is characterized by polymorphic capabilities that allow the threat to evade AV software.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Qbot campaign)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment