US bank customers targeted in ongoing Qbot campaign

Security researchers at F5 Labs have spotted ongoing attacks using Qbot malware payloads to steal credentials from customers of dozens of US financial institutions.

Qbot (also known as Qakbot, Pinkslipbot, and Quakbot) is a banking trojan with worm features [123] used to steal banking credentials and financial data, as well as to log user keystrokes, deploy backdoors, and drop additional malware on compromised machines.

Among the banks whose customers have been targeted in this Qbot campaign, the researchers found JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, and FirstMerit Bank.

In total, this active Qbot campaign targets 36 different U.S. financial institutions, as well as two banks in Canada and the Netherlands according to F5 Labs malware analyst Doron Voolf.

Number of banks targeted by Qbot by country
Number of banks targeted by Qbot by country (F5 Labs)

Old banking trojan updated with new features

While Qbot has been actively used since at least 2008 and its core hasn’t changed a lot, the latest samples discovered by F5 Labs’ researchers have added a number of new capabilities.

The new trojan versions are designed to both detect and evade being captured and analyzed by security researchers.

Qbot now “has a new packing layer that scrambles and hides the code from scanners and signature-based tools,” Voolf said. “It also includes anti-virtual machine techniques, which helps it resist forensic examination.

The malware is delivered onto the targets’ computers using browser hijacks (web redirections) as the main attack method to infect victims.

Once dropped on a victim’s machine, Qbot is loaded within the explorer.exe process’ memory, copies itself in the %APPDATA% folder, and gains persistence by adding a new registry key to launch itself on system reboot.

After it executes the %APPDATA% copy, the malware will inject itself into a newly spawned a new explorer.exe process. The Qbot operators will later use this always running malicious process to update the bot instance from their command-and-control server.

“As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials,” Voolf further explained.

Malware used in highly-targeted campaigns

Attackers are often using exploit kits to drop Qbot malicious payloads on their targets’ machines, while the bot will subsequently infect other devices on the same network via network share exploits and highly aggressive brute-force attacks that target Active Directory admin accounts.

Qbot’s developers have also included unusual capabilities at one point or another, including the ingenious way used by the malware to assemble itself from two encrypted halves to evade detection

While active over a decade, this banking trojan was mostly used in targeted attacks on corporate entities that would provide a higher return on investment.

As proof of this, Qbot campaigns have been quite sporadic over time, with researchers spotting one in October 2014, one in April 2016, and another one during mid-May 2017.

Qbot has also seen a resurgence last year, being dropped as a first stage or as a second stage malware payload by the Emotet gang, as well as part of a context-aware phishing campaign in March 2019 that used emails camouflaged as parts of previous conversations.

A full list of indicators of compromised (IOCs) including specific strings targeted by Qbot in this campaign and malware sample hashes are available at the end of the F5 Labs report.


Next Post

HIV and TB increase death risk from COVID-19, study finds—but not by much | Science

Tue Jun 16 , 2020
Health officials check a list of people to be tested for COVID-19 as well as HIV and tuberculosis (TB) in downtown Johannesburg. South Africa has the world’s highest HIV and TB infection rates. AP Photo/Jerome Delay By Linda NordlingJun. 15, 2020 , 4:30 PM Science’s COVID-19 reporting is supported by the […]