A well-known banking trojan, Qbot, has resurfaced with enhanced capabilities targeting sectors vital to national security, including government, military, and manufacturing entities across the United States and Europe. Recent research from Check Point Research reveals that this revitalized malware not only seeks to pilfer bank account credentials but also leverages advanced methods to infiltrate its victims’ systems.
The renewed activity of Qbot correlates with the recent return of another malicious actor, Emotet, known for its role in orchestrating spam campaigns and ransomware attacks through email. The latest variant of Qbot has the ability to discreetly harvest email threads from victims’ Outlook clients, utilizing this information to conduct future malspam campaigns.
Check Point Research underscores the increased menace posed by Qbot, noting that its active malspam strategies enable it to infect organizations more effectively. This hybrid approach makes use of Emotet’s infection infrastructure, thereby expanding the reach of this malicious software. Since its inception in 2008, Qbot has transformed from a simple information stealer into a versatile malware delivery system, capable of disseminating other threats such as Prolock ransomware and executing banking transactions remotely by hijacking a victim’s IP address.
Often, attackers employ phishing tactics to lure individuals to malicious websites that exploit vulnerabilities to deliver Qbot. The phishing emails commonly masquerade as legitimate communications, including COVID-19 updates, tax notifications, or job offers. These emails come equipped with archived conversations extracted from previous communications, which an automated email collector module uploads to a predetermined remote server, lending deceptive credibility to the attacks.
Research from F5 Labs noted that Qbot has incorporated features to evade detection and forensic analysis, employing new techniques found by Morphisec that allow it to bypass both Content Disarm and Reconstruction (CDR) and Endpoint Detection and Response (EDR) systems. This ongoing evolution illustrates the strategic adjustments malware developers make to maintain a foothold in the cybersecurity landscape.
The infection process typically starts with a crafted phishing email containing a ZIP file. When opened, it downloads a malicious Visual Basic Script (VBS), which establishes a communication channel with an attacker-controlled server. This methodology, rooted in techniques defined in the MITRE ATT&CK framework, highlights tactics such as initial access through phishing and connection management via command and control systems.
Moreover, Qbot can utilize an hVNC Plugin, enabling remote control of the infected machine, allowing operators to execute bank transactions without the user’s knowledge. This capability exemplifies the potential for privilege escalation through compromised systems, emphasizing the urgent need for vigilance against even seemingly benign communications.
In addition to its email hijacking capabilities, Qbot employs a proxy module allowing infected machines to serve as control servers within a botnet. This broadens its operational capacity and enhances the malware’s efficacy while posing a significant threat to organizational security.
Overall, the resurgence of Qbot serves as a potent reminder of the ongoing evolution of cybersecurity threats. Businesses must remain alert to the potential for sophisticated phishing attacks, and monitoring systems for such developments is imperative. As noted by Yaniv Balmas from Check Point Research, threat actors are investing significantly in the enhancement of these older malware variants to facilitate extensive data theft from unsuspecting organizations.
The return of Qbot underlines the importance of maintaining robust cybersecurity practices and employee training to counteract these evolving threats effectively. Business owners should prioritize the implementation of comprehensive security measures to safeguard against such increasingly complex intrusion attempts.
