Qbot malware switched to stealthy new Windows autostart method

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep. [...]

In recent campaigns, Qbot victims have been infected using phishing emails featuring Excel document attachments pretending to be DocuSign documents.

Starting with November 24, when Binary Defense threat researcher James Quinn says that the new Qbot version was spotted, the malware is using a newer and stealthier persistence mechanism that takes advantage of system shutdown and resume messages to toggle persistence on infected devices.

This tactic is so successful that some researchers have previously thought that the Qbot trojan has removed this persistence mechanism altogether.

"While initial reports by other researchers had stated that the Run key persistence mechanism was removed in the new version of Qakbot, it has instead been added to a more stealthy and interesting persistence mechanism that listens for System Shutdown Messages, along with PowerBroadcast Suspend/Resume messages," Quinn explains.
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
Hello,
Just wondering...ZoneAlarm does have an ability called "Timing Attack Prevention" which prevents malicious programs from exploiting kernel timing vulnerabilities for execution of untrusted code. Would this help in this situation?

Kind regards,
-sepik
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top