Security researchers at F5 Labs have spotted ongoing attacks using Qbot malware payloads to steal credentials from customers of dozens of US financial institutions.
Qbot (also known as Qakbot, Pinkslipbot, and Quakbot) is a banking trojan with worm features [1, 2, 3] used to steal banking credentials and financial data, as well as to log user keystrokes, deploy backdoors, and drop additional malware on compromised machines.
Among the banks whose customers have been targeted in this Qbot campaign, the researchers found JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, and FirstMerit Bank.
In total, this active Qbot campaign targets 36 different U.S. financial institutions, as well as two banks in Canada and the Netherlands according to F5 Labs malware analyst Doron Voolf.
Old banking trojan updated with new features
While Qbot has been actively used since at least 2008 and its core hasn’t changed a lot, the latest samples discovered by F5 Labs’ researchers have added a number of new capabilities.
The new trojan versions are designed to both detect and evade being captured and analyzed by security researchers.
Qbot now “has a new packing layer that scrambles and hides the code from scanners and signature-based tools,” Voolf said. “It also includes anti-virtual machine techniques, which helps it resist forensic examination.
The malware is delivered onto the targets’ computers using browser hijacks (web redirections) as the main attack method to infect victims.
Once dropped on a victim’s machine, Qbot is loaded within the explorer.exe process’ memory, copies itself in the %APPDATA% folder, and gains persistence by adding a new registry key to launch itself on system reboot.
After it executes the %APPDATA% copy, the malware will inject itself into a newly spawned a new explorer.exe process. The Qbot operators will later use this always running malicious process to update the bot instance from their command-and-control server.
“As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials,” Voolf further explained.
Malware used in highly-targeted campaigns
Attackers are often using exploit kits to drop Qbot malicious payloads on their targets’ machines, while the bot will subsequently infect other devices on the same network via network share exploits and highly aggressive brute-force attacks that target Active Directory admin accounts.
Qbot’s developers have also included unusual capabilities at one point or another, including the ingenious way used by the malware to assemble itself from two encrypted halves to evade detection
While active over a decade, this banking trojan was mostly used in targeted attacks on corporate entities that would provide a higher return on investment.
Qbot has also seen a resurgence last year, being dropped as a first stage or as a second stage malware payload by the Emotet gang, as well as part of a context-aware phishing campaign in March 2019 that used emails camouflaged as parts of previous conversations.
A full list of indicators of compromised (IOCs) including specific strings targeted by Qbot in this campaign and malware sample hashes are available at the end of the F5 Labs report.