Researchers: Qbot Banking Trojan Making a ComebackMalware Revamped With New Functions and Stealth Capabilities
The notorious Qbot banking Trojan is making a comeback with new features and capabilities that enable it to more effectively steal victims' financial data and credentials, according to F5 Labs.
The operators of the Qbot Trojan are conducting an ongoing credential harvesting campaign that’s targeting the customers of some of the top U.S. financial firms, including JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo among others, according to researchers at F5 Labs.
So far, customers of about 36 banks and financial services companies, including firms in the U.S., Canada and the Netherlands, have been targeted by this campaign, according a new F5 Labs report.
Qbot, also called Qakbot and Pinkslipbot, has been active since 2008 and is known for collecting browsing data and stealing banking credentials and other financial information from victims, according to the report.
In 2014, researchers at Proofpoint found that 800,000 banking credentials of victims who mainly were customers of the five largest U.S. financial services firms had been stolen using Qbot, with attackers having installed the malware on about 500,000 devices (see: Hackers Grab 800,000 Banking Credentials).
James McQuiggan, a security awareness advocate at security firm KnowBe4, says it’s not surprising that the malware is still active and being updated.
"Cybercriminals have seen it work successfully in the past and update the code and concepts by injecting it into known processes, which are accepted by anti-malware applications," McQuiggan tells Information Security Media Group.
The malware uses browser hijacking or redirection as the main attack method on an infected device, the report states. It’s capable of using a variety of techniques, such as keylogging, credential theft, cookie exfiltration, process hooking, and even worm self-replication tactics, to propagate itself over shared drives and removable media, according to F5 Labs.
In the latest version of Qbot, the operators have added detection-evasion techniques, such as a new packing layer to scramble and hide the code from scanners and signature-based tools that are used by analysts to find known threats, according to the report. The new version also has anti-virtual machine techniques to evade forensic analysis.
"The targets changed and features were added, but it’s still primarily about keylogging and, secondarily, about extracting a victim’s personal data," F5 Labs notes in its report.
Qbot is usually spread with phishing emails that lure victims to malicious websites through links embedded in the messages. These malicious websites then use exploits to inject Qbot into the running Windows Explorer memory of a device through a dropper, according to the report.
The malware places itself in the application folder's default location and then creates copies in a specific registry key in order to run when the system reboots, the F5 Labs researchers say.
During execution from the application folder, the malware replaces the originally infected file in the application folder with a legitimate file in order to cover its tracks. Further, Qbot injects itself into a new instance of Windows Explorer, which is always running, giving the hackers the ability to update the malware from an external command and control server, according to the report.
To help mitigate the risks, F5 Labs advises organizations to use updated anti-virus software, apply patches in a timely manner, inspect encrypted traffic and provide employees with proper security awareness training.
"Organizations will want to implement not only an anti-malware application on the endpoints, but also an endpoint detection response program to provide additional security of the system with two sets of processes running to detect and react on malware entering the system," KnowBe4’s McQuiggan says.