In August 2020, the Qbot operators has been observed experimenting with several enhancements. Read on to know more…
Although Qakbot is an old project already existing for over a decade, it is still being updated and active. The Qbot operators has continually add new features to keep up with the most advanced malware infections.
QBot’s recent attack campaign ran from March to June 2020 and resumed again in August, spreading globally and infecting new targets. In August 2020, Qakbot was dropped via Emotet malware in COVID-19 related spam emails targeting U.S. businesses. Earlier, the Emotet campaigns started dropping the “QakBot” replacing TrickBot in July 2020. The most targeted industries were in the government, military, and manufacturing sectors.
About QBot
Qbot, also known as QakBot, is a Banking Trojan that comes with information-stealing and stealth capabilities. Active since 2008, this bot has been recently used in an Emotet attack campaign. Even after a decade, its main goal remained the same; stealing bank credentials and other financial information.
Recent Enhancements
In August 2020, the Qbot operators has been observed experimenting with several enhancements. Examples of newly-added features include stealing various data from infected machines, injecting additional malware (such as ransomware), enabling cyber criminals to remotely connect to the infected machine so that bank transactions could be performed using victim’s IP address and abusing victim’s email accounts (which are accessible through Microsoft Outlook program) to spread malware using existing email threads.
Qbot trojan was recently upgraded in June 2020 with a renewed command and control infrastructure and new functions and stealth capabilities to avoid detection and analysis. In May 2020, ProLock and MegaCortex ransomware were using Qakbot to gain access to hacked networks. So possibly, Qbot could be available as a part of their malware-as-a-Service scheme, or both these ransomware may be operated by the gang behind Qakbot. In the same month, Qakbot was also found adding scheduled tasks on infected systems.
Working Mechanism
Until July, Qbot was being distributed via multiple malspam campaigns but recently, Qbot has added a nasty trick to infect users. It activates an email collector module that extracts all email threads from the Outlook client and uploads it to a hardcoded remote server. These emails are (expected to be) utilized for future malspam campaigns.
In April 2020, the Qbot Trojan was observed to be dropped via context-aware phishing campaigns. In February, the malware attempted to brute-force network accounts from the Active Directory Domain Users group at targeted organizations.
Concluding Points
Banking customers should stay vigilant of emails asking for sensitive information and enable two-factor authentication for their banking accounts. Organizations should use updated antivirus software, regularly apply critical patches to their applications and operating system, and inspect network traffic for malicious activities.