Sometimes malware can be a one-hit wonder:
show up on the scene, cause chaos, and then never be troublesome again after
exploits are patched and antivirus scanners are updated to help protect against
it. Sometimes, however, a piece of malware just keeps reappearing with
alterations that make it relevant again. One such program, Qbot, has
been around for over 12 years and has now popped back up to attack customers
who use a multitude of U.S. financial institutions.
Qbot, also known as Quakbot, Qakbot, and Pinkslipbot, is a
Windows-based malware that first appeared around 2008 and has always been
focused on gathering browsing data and financial information from victims.
There are gaps where Qbot would seem to disappear for a while, but then
it would come back with some new functionality such as improved detection
evasion or worm-like spreading capabilities. New Qbot campaigns have
been uncovered in October 2014, April 2016, and May 2017, as well as being used
by the Emotet gang last year as the payload malware. The latest strain was
first seen in January of this year and is now targeting banking portals for
Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank,
TD Bank, Wells Fargo, and more.
Researchers at F5, an
application threat intelligence research lab, discovered this variant and
worked out how the new infection process works. The malware is delivered to the
target computer through one of a variety of sources: phishing attempts, web
exploits that drop the malware as the payload, or through malicious file
sharing activities. Once the malware is on the system, the executable loads Qbot
into the running explorer.exe application. Next, the malware copies itself
into the application folder’s default location and the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run so that it will run up-on
system reboots. Qbot then creates a .dat file with system information and
the botnet name, executes from the %APPDATA% folder, and replaces the original
infection file to cover its tracks. Finally, the malware injects itself into a
new-ly created explorer.exe instance for use for updates from external C2
servers.
The newest variant of Qbot includes
a packing layer that scrambles the code to evade Antivirus scanners and
signature-based tools, as well as anti-virtual ma-chine techniques to keep
people from easily examining how the malware operates. Researchers suggest
keeping antivirus software updated and staying up to date on critical patches
for other software as well. User awareness training to spot phishing attempts
can also be helpful in preventing victimization.
