loader gif

New malware campaign targets US corporations with a new polymorphic variant of the Qbot trojan

  • The new malware campaign distributing a new variant of the Qbot trojan primarily targets the US organizations followed by Europe and Asia.
  • The new variant of the Qbot trojan is polymorphic and constantly changes its tactics, creates files with random names, and swiftly changes its C&C server.

What is the issue - Researchers from Varonis spotted a new malware campaign distributing a new variant of the Qbot banking trojan. The campaign primarily targets the US organizations followed by Europe and Asia.

Why it matters - The new Qbot banking trojan is polymorphic and constantly changing.

Qbot, also known as Qakbot, is a banking trojan which was first identified in 2009. Qbot trojan is designed to steal financial information and banking details such as bank account credentials.

The new variant of the Qbot trojan has various capabilities like:

  • Constantly changing its tactics
  • Creating files with random names
  • Swiftly changing its C&C server
  • Changing the malware loader when there is an active internet connection

“Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders,” researchers said.

By numbers

  • Researchers detected 2,726 unique victims IP address.
  • Of which, 1730 victims reside in the US.

The big picture

  • The new variant of Qbot trojan is distributed via phishing emails that included a zip file with a .doc.vbs extension.
  • Upon opening the zip file, the malicious VBS file gets executed.
  • The VBS file then extracts the OS version of the victim’s computer and attempts to detect the antivirus program installed on the infected system.
  • The antivirus software which the malware scans for include Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, Mcafee, and Symantec.
  • It then uses the BITSAdmin to download the malware loader. The loader has multiple versions and constantly updates even after execution.
  • The loader is signed with fake stolen certificates from Saiitech Systems Limited, ECDJB Limited, Hitish Patel Consulting Ltd, Doorga Limited, and more.
  • Once the loader achieves persistence, the main payloads begin to brute force accounts on the network.

“If the malware compromises a domain account, it enumerates the “Domain Users” group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead,” researchers said.

loader gif