Qbot, also known as Qakbot is a banking trojan which has been active since 2008. Recently, researchers have observed an updated persistence mechanism used by the trojan to evade detection from most antivirus solutions.
What are the new changes made to the trojan?
Usually, the Qakbot infected machine will create a scheduled task that executes a JavaScript downloader and makes a request to one of the several hijacked domains. The following are the changes in the trojan:
“This downloader always requests the URI "/datacollectionservice[.]php3." from these hijacked domains. The domains used by the downloader for this request are XOR encrypted at the beginning of the JavaScript. The response to this request is obfuscated data that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz,” researchers said in a blog.
Key takeaways
Publisher