Qbot

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Type
Trojan
Origin
Unknown
First seen
1 January, 2009
Last seen
5 October, 2022
Also known as
Pinkslipbot
QakBot
Quakbot
Global rank
19
Week rank
4
Month rank
9
IOCs
9170

What is Qbot?

Qbot, also known as QakBot, Pinkslipbot, and Quakbot, is a Banking Trojan — malware designed to steal banking credentials, online banking session information, personal details of the victim, or any other banking data.

Although early versions of Qbot were spotted all the way back in 2009, its creators have maintained this Trojan. Today, it continues to be active and features worm-like abilities to spread over networks, supports advanced web-injections techniques, and has a persistence mechanism that some researchers believe to be one of the best in its class. Additionally, the Trojan has anti-VM, anti-debug and anti-sandbox functionally that makes research and analysis quite difficult.

Furthermore, Qbot is polymorphic, which means that it can change itself even after it is installed on an endpoint. The Trojan constantly modifies files, and the dropper that the newer version of Qbot continuously cycles through command and control servers.

The combination of these functions makes Qbot highly dangerous malware. Qbot has been used in several successful attacks on organizations and governmental structures and has infected tens of thousands of machines.

General description of Qbot

Qbot is dispatched in targeted attacks against businesses. With this Trojan, the attackers go after bank accounts of organizations or private users who access their personal online banking cabinets from corporate networks by piggybacking into banking sessions of the victim.

The Trojan uses man-in-the-browser functionality to perform web injections, allowing it to alter what the victims see on the banking website when browsing from an infected machine. Interestingly, while most malware samples that use this technique contain the web injection code in their config file, Qbot can fetch the code from a controlled domain as it performs malicious activity.

Another trait that differentiates Qbot from other Trojans is its worm-like functionality. Qbot can copy itself using shared drives and spread over the network, spreading on its own or after receiving a command from the command and control server. Together with a highly developed persistence mechanism that uses registry runkeys and scheduled tasks, these traits make erasing Qbot from the infected network very difficult. The Trojan is designed to sustain itself despite system reboots and automatically launch itself when the system is turned on again.

This infamous persistence functionality has allegedly caused compromise of sensitive information in two government organizations in Massachusetts in 2011, while worm-like behavior helped the Qbot infiltrate thousands of machines and create a botnet with over 1,500 devices resulting from that attack.

Most of the targets that Qbot goes after are US-based organizations. Only about twenty percent of the new attack businesses are located outside of the United States. Although apart from the government offices, most of the attacks have been directed at banking, tech, and healthcare industries, there is no hard evidence to suggest that the attackers are aiming at specific fields. This means that businesses working in any industry can get hit by Qbot.

It is also important to note that an advanced cybergang operates the malware. Qbot attacks have been appearing on the radar of security researchers periodically, with phases of high activity and intervals when attacks would completely stop. This behavior is likely to avoid attracting too much attention from law enforcement and allows attackers to tweak and improve the malware during their time off.

The group behind Qbot is also notoriously known for pushing out new modified malware samples at astonishing rates. They repack and re-scramble the code daily, making malware identification by means of anti-virus software unreliable.

Unfortunately, people's identities behind Qbot are unknown, but it is widely believed that the cyber gang is based somewhere in Eastern Europe.

Qbot malware analysis

This video recorded in the ANY.RUN interactive malware hunting service shows the execution process of Qbot. You can also research other malware like Netwire and Predator the Thief.

qbot_process_graph

Figure 1: Displays the tree of processes created by the ANY.RUN interactive malware hunting service

Qbot execution process

Since Qbot is mostly targeted at the corporate sector, the main way of its penetration into infected systems is through a malicious document. In our example, maldoc starts several processes, including Powershell through by using a macro. Then, using cmd.exe, this trojan starts a chain of commands and executions, creating folders and temporary files. It utilizes Powershell to download the payload. Notably, the payload's name is as simple as six of the same digits or, less often, letters. Also, the payload often has a .png extension, although it is an executable file.

After that trojan starts its main execution, Qbot tries to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following commands: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “Path to malware executable.” Qbot also injects explorer.exe and adds itself into autorun for persistence.

Qbot distribution

Qbot uses multiple attack vectors to infect victims. The malware uses email spam and phishing campaigns, as well as vulnerability exploits to infiltrate its targets. One of the more recent versions of the malware was observed being distributed by a dropper.

The dropper that installs Qbot is equipped with a delayed execution function. This means that after the dropper itself is downloaded onto a target machine, it waits around fifteen minutes before dropping the payload, likely in an effort to trick automatic sandboxes and avoid detection.

How to detect Qbot using ANY.RUN?

Sometimes Qbot trojan creates files that allow analysts to detect it with a high degree of certainty. To detect Qbot, open the "Files" tab in the lower part of the task's window and take a look at the created folders. If you see folders with names such as "Zulycjadyc" and "imtaykad" within C:\Users\admin\AppData\ Roaming\Microsoft\ directory and .exe or .dat file with a name "ytfovlym," as shown on the figure below, be sure that it is Qbot in front of you.

how_to_detect_qbot

Figure 2: Detecting Qbot by local files

Conclusion

Security researchers successfully reversed a sample of Qbot in a 2020 investigation. Since the researchers managed to pinpoint a command and control server, they could identify the true scale of the attack. What they uncovered was an active Qbot botnet consisting of over 2,000 computers.

If there was any doubt that Qbot is a severe threat, hopefully, this should clear it. Advanced web injections, sophisticated anti-evasion techniques, worm-like functions, and an experienced cyber gang that constantly updates the malware is a dangerous cocktail.

As security researchers, it is essential to analyze malware like Qbot since code obfuscation makes research complicated. Every investigation has the potential to uncover important data that will help businesses avoid attacks or identify and eradicate this Trojan quicker. At the same time, Qbot avoids dynamic analysis with some automatic sandboxes with the delayed execution of its dropper and other tricks, interactive sandboxes like the one presented by the ANY.RUN malware hunting services are not so easily fooled.

ANY.RUN presents a good opportunity to perform dynamic analysis on this malware from a secure online environment and share your findings with fellow researchers in our public malware database.

IOCs

IP addresses
192.254.234.66
217.128.122.65
182.191.92.203
38.70.253.226
75.99.168.194
74.14.5.179
39.52.44.132
104.34.212.7
216.238.72.121
45.46.53.140
193.253.44.249
120.150.218.241
86.195.158.178
32.221.224.140
92.132.172.197
45.63.1.12
94.59.15.180
78.101.91.101
144.202.2.175
70.49.33.200
Hashes
24c06427f589e885b0a78df6dfe784c7ae73f6aafe936ce73b788615873f9acd
dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064
f6210da7865e00351c0e79464a1ba14a8ecc59dd79f650f2ff76f1697f6807b1
cc185105946c202d9fd0ef18423b078cd8e064b1e2a87e93ed1b3d4f2cbdb65d
6cf996289d0b112a61933cda139f17ef3267095b299446c07926c246a6a2e325
c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4
3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b
1516f0fcdbb6491e75326b530dc1fb245e4d063e6b0a08fecdbf29cdae3dd7ee
6f00837f83703021bc4f718a4df8a7fbdadf5fff50728dc09c050efa5259db89
162a0d1651250cab75ba0219b85763bdaf5af3398b5dfed0a8d35d53bd920616
3974a20dc96df47df6c54e76f50a95259b12867368e72ed765b64d20f179cbab
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326
c118e4088bc5aaffebe7208df9f01da9d70ba625ba020c593723495c0954a203
a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4
a50c1c7b11a6deb6f52ced8a87279ee52ab7ccd608688eee2bf6a6dacba3c816
22abe3fec0ad64fb2511acc93d9fb3f41d2cd926e58f4726a0b1cdab28314e30
dffe663e1438cb2559c5a767e2d30b01905f19ecad852016286850d36c1e572c
ebb2782b060f9b2651c3d913842440419b95313825352f8af1438506c03e7a5d
3a8cdb21ae95867928bfc5c4eb878ef899da5c5918e8f680bd4c6912326d1cda
099af22fe8f2399f46a7403fe8546d7b011744d2a46b6482208af3b266f25bfe
Domains
www.thecitizensforum.org
www.xn--anibalderedao-7eb3d.com
korleva.ru
www.paradajaime.com
worldview.word
www.soukid.com
www.simplefinest.com
virustotalo.com
documents-bjc.org
www.mozhpevac.icu
www.desyrnan.com
partner-2021.tk
www.taobaobeibei.com
verified-capitalone.com
www.jinxbookstore.com
www.zhgxzdh.com
www.soundai.net
www.hencountrydo.org
www.teens2cash.com
idsecurednow.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More