Qbot Trojan: A Quick Analysis of a Decade-Old Banking Trojan

Qbot, also known as QakBot, is a baking Trojan that comes with information-stealing and stealth capabilities. Active since 2008, this bot has been recently used in an Emotet attack campaign. Even after a decade, its main goal remained the same; stealing bank credentials and other financial information.

Recent highlights

In August 2020, the Qbot has been observed experimenting with several enhancements.
  • Qbot trojan was updated in June 2020 with a renewed command and control infrastructure and new functions and stealth capabilities to avoid detection and analysis.
  • In May 2020, ProLock and MegaCortex ransomware were using Qakbot to gain access to hacked networks. So possibly, Qbot could be available as a part of their malware-as-a-Service scheme, or both these ransomware may be operated by the gang behind Qakbot.
  • In the same month, Qakbot was also found adding scheduled tasks on infected systems.

Top targets

QBot’s recent attack campaign ran from March to June 2020 and resumed again in August, spreading globally and infecting new targets. 
  • In August 2020, Qakbot was dropped via Emotet malware in COVID-19 related spam emails targeting U.S. businesses. Earlier, the Emotet campaigns started dropping the “QakBot” replacing TrickBot in July 2020.
  • The most targeted industries were in the government, military, and manufacturing sectors.

Modus operandi

Until July, Qbot was being distributed via multiple malspam campaigns but recently, Qbot has added a nasty trick to infect users.
  • It activates an email collector module that extracts all email threads from the Outlook client and uploads it to a hardcoded remote server. These emails are (expected to be) utilized for future malspam campaigns. 
  • In April 2020, the Qbot Trojan was observed to be dropped via context-aware phishing campaigns.
  • In February, the malware attempted to brute-force network accounts from the Active Directory Domain Users group at targeted organizations.

Key takeaways

Banking customers should stay vigilant of emails asking for sensitive information and enable two-factor authentication for their banking accounts. Organizations should use updated antivirus software, regularly apply critical patches to their applications and operating system, and inspect network traffic for malicious activities.