2020 Global Threat Intelligence Report for December

The QakBot threat

Lead Analyst: Dan Saunders, Senior Incident Response Consultant, NTT Ltd., UK & Ireland

Malspam campaigns distributing QakBot are on the rise and it’s not just the banking trojan you should be worried about!

What is QakBot?

QakBot aka Qbot aka Pinkslipbot is a banking trojan aimed at stealing credentials, hunting for financially-related information and recording system keystrokes. Qbot was first discovered in 2008, and has always been a well-structured, multi-layered piece of malware which continues to expand capabilities with every evolution. While it was previously distributed by another infamous banking trojan, Emotet, during 2020, Qbot has been prolific at infecting numerous organizations during its own relentless campaigns, which inevitably result in unauthorized access to the victim’s infrastructure. Qbot is currently being actively supported, with new versions typically being issued monthly.

Initial attack vector

Our Digital Forensics Incident Response (DFIR) team has responded to incidents involving Qbot to mitigate these types of cyberattacks. The initial attack vector is via widespread malspam campaigns, where malicious emails entice

unsuspecting victims to access a URL link to download an archive (.ZIP) file. Within the attachment is an obfuscated visual basic script (.VBS), which once executed makes HTTP(S) requests to compromised websites. If the website is reached, it attempts to download one of several first stage payloads. The payloads often have an image file (.PNG) extension, however they are actually executable.

Qbot actively harvests email threads from infected environments. These stolen emails are analysed and integrated into future malspam campaigns to make it appear as if the new email is part of an existing valid email conversation. This has the potential to make the next round of campaigns even more effective than the previous, especially when used in a targeted manner.

While Qbot has been detected in a wide variety of industries, it has been most commonly observed in government, manufacturing, military and healthcare organizations.

Qbot operations

The downloaded binary itself is packed and contents are encrypted to deter security researchers from reverse-engineering the malware.

Since Qbot is polymorphic, it is a difficult trojan to contain. First of all, the malware binary masks itself as the legitimate calc.exe program to avoid detection and secondly carries out process injection into explorer.exe. This process is then used to carry out additional injection and execute even more malicious functions. Some of the most notorious are hooking, credential stealing, keylogging, email collection and brute-force password capabilities. Persistence is maintained via the use of the Windows registry start-up run key and scheduled task creation.

Download the report to find more.