Sometimes malware can be a one-hit wonder: show up on the scene, cause chaos, and then never be troublesome again after exploits are patched and antivirus scanners are updated to help protect against it. Sometimes, however, a piece of malware just keeps reappearing with alterations that make it relevant again. One such program, Qbot, has been around for over 12 years and has now popped back up to attack customers who use a multitude of U.S. financial institutions.
Qbot, also known as Quakbot, Qakbot, and Pinkslipbot, is a Windows-based malware that first appeared around 2008 and has always been focused on gathering browsing data and financial information from victims. There are gaps where Qbot would seem to disappear for a while, but then it would come back with some new functionality such as improved detection evasion or worm-like spreading capabilities. New Qbot campaigns have been uncovered in October 2014, April 2016, and May 2017, as well as being used by the Emotet gang last year as the payload malware. The latest strain was first seen in January of this year and is now targeting banking portals for Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank, TD Bank, Wells Fargo, and more.
Researchers at F5, an application threat intelligence research lab, discovered this variant and worked out how the new infection process works. The malware is delivered to the target computer through one of a variety of sources: phishing attempts, web exploits that drop the malware as the payload, or through malicious file sharing activities. Once the malware is on the system, the executable loads Qbot into the running explorer.exe application. Next, the malware copies itself into the application folder’s default location and the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run so that it will run up-on system reboots. Qbot then creates a .dat file with system information and the botnet name, executes from the %APPDATA% folder, and replaces the original infection file to cover its tracks. Finally, the malware injects itself into a new-ly created explorer.exe instance for use for updates from external C2 servers.
The newest variant of Qbot includes a packing layer that scrambles the code to evade Antivirus scanners and signature-based tools, as well as anti-virtual ma-chine techniques to keep people from easily examining how the malware operates. Researchers suggest keeping antivirus software updated and staying up to date on critical patches for other software as well. User awareness training to spot phishing attempts can also be helpful in preventing victimization.