Shifty new variant of Qbot banking trojan spreads

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,129
Content source
https://www.scmagazine.com/home/security-news/shifty-new-variant-of-qbot-banking-trojan-spreads/
An active malware campaign primarily targeting U.S. corporations with a new polymorphic variant of the Qbot banking trojan has been compromising thousands of victims around the world, researchers have reported.

The worm-like malware, whose original version is roughly a decade old, allows attackers to collect browsing activity and steal bank account credentials and other financial information. This is accomplished through a combination through a combination of techniques, including keylogging, credential and cookie exfiltration, and hooking.

Despite the campaign’s focus on the U.S., victims have been observed as far as Europe, Asia and South America, according to a blog post today from Varonis.

At last report, the company found 2,726 unique victims IP address, but the true number is most likely considerably larger. The U.S. is home to 1,730 of these victims, with the U.K., Germany and South Africa the next most affected nations.

Also known as Qakbot, “Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders,” warns blog post authors and researchers Dolev Taler and Eric Saraga. The variant, they explain, constantly modifies its tactics, creating files and folders with random names, frequently switching command-and-control servers and even changing the malware loader where there is an active internet connection.

Varonis believes the new Qbot is likely spreading via a phishing operation. This theory that is supported by the discovery of a zip file carrying a malicious VBS file with a .doc.vbs extension.

This VBS file determines the OS version of the victim’s machine and then looks for signs of anti-virus software from various major security vendors. And in a new behavior, the malware uses the BOTSAdmin command-line tool to produce a downloader component that ultimately introduces the main malicious payload.
Click to expand...
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful, Weebarra and 6 others
J

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Usually this type of malware can use low-level hooks (such as WH_KEYBOARD_LL) to perform keylogging of all keystrokes fastly and deeply.

shmu26 said:
"And in a new behavior, the malware uses the BOTSAdmin command-line tool to produce a downloader component that ultimately introduces the main malicious payload."

It's a typo. They mean Bitsadmin.
Click to expand...
+1.
 
  • Like
Reactions: ForgottenSeer 72227, Andy Ful, Weebarra and 3 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
shmu26 said:
"And in a new behavior, the malware uses the BOTSAdmin command-line tool to produce a downloader component that ultimately introduces the main malicious payload."

It's a typo. They mean Bitsadmin.
Click to expand...
Good catch! The main source got it right.

blogvaronis2.wpengine.com

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims

The Varonis Security Research team discovered a global cyber attack campaign leveraging a new strain of the Qbot banking malware. The campaign is actively targeting U.S. corporations but has hit networks...
blogvaronis2.wpengine.com blogvaronis2.wpengine.com
 
  • Like
Reactions: shmu26, JM Safe, ForgottenSeer 72227 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
Standard delivery path:
phishing webpage or email attachment ---> ZIP file with VBS dropper or MS Office document with macro ---> VBS dropper (uses bitsadmin.exe, and executes the payload).
As usual, blocking scripts/macros will prevent the infection. No need to use the firewall rules (not efficient with bitsadmin.exe) or blocking the execution of bitsadmin.exe, or fighting the payload(y).
 
Last edited:
  • Like
Reactions: shmu26, JM Safe, ForgottenSeer 72227 and 2 others
You must log in or register to reply here.

Similar threads

LASER_oneXM
    • Like
New QBot email attacks use PDF and WSF combo to install malware
Replies
1
Views
1,464
News Archive
Andy Ful
Andy Ful
silversurfer
    • Like
    • +Reputation
QakBot Malware Operators Expand C2 Network with 15 New Servers
Replies
0
Views
902
News Archive
silversurfer
silversurfer
Bot
    • Like
Security News New BunnyLoader Malware Variant Surfaces with Modular Attack Features
Replies
0
Views
821
Security News
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top