Qbot Banking Trojan Seeks New Targets Using Old Tricks

Qbot malware (also known as Qakbot, Pinkslipbot, and Quakbot) has been around since at least 2007 and still has the core functionalities of a keylogger and data stealer. Recently, F5 Labs researchers have spotted new attacks using the latest version of Qbot malware.

What’s new

As any network-aware worm with backdoor capabilities, Qbot’s core functionality and target haven't changed a lot but the latest versions have added some new capabilities.
  • In June 2020, Qbot campaigns targeted at least 36 different U.S. financial institutions including JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, etc., as well as two banks in Canada and the Netherlands, to steal credentials and financial data from customers, as well as to log user keystrokes, and deploy backdoors on compromised machines.
  • The latest versions added detection evasion techniques and a new packing layer that scrambles and hides the code from scanners and signature-based tools. To resist forensic examination, it also included anti-virtual machine techniques.
  • In these campaigns, the main attack method used was browser hijacking (via web redirections). Qbot was looking for specific financial services to harvest credentials by watching a victim’s web traffic.

Malware used in highly-targeted campaigns

Attackers often use exploit kits to drop Qbot on their targets' machines as it can rapidly propagate through connected networks and create an enterprise-wide incident.
  • In May 2020, a new ransomware strain named ProLock gained access to hacked networks via the Qbot Trojan to target healthcare organizations, government entities, financial institutions, and retail organizations.
  • In December 2019, Spelevo EK operators launched a new social engineering tactic to download and execute additional malware payload (Qbot) from decoy adult sites.

Security recommendations

Users should use updated antivirus software, apply critical patches, and inspect encrypted traffic. Use a firewall or IDS to block or detect backdoor server communications with remote client applications.