Security researchers from F5 Labs have warned about ongoing attacks using a new version of the Qbot banking trojan to steal credentials from customers of dozens of US financial institutions.
Qbot (aka Qakbot, Pinkslipbot, and Quakbot) is a banking trojan, which has been active since 2008. Over the years, many variants of Qbot emerged with enhanced capabilities, but Qbot’s main goal has remained the same: collect browsing activity and steal bank account credentials and other financial information.
Typically, Qbot trojan spreads via phishing emails that point users to websites that use exploits to inject Qbot via a dropper. It does this through a combination of techniques that subvert the victim’s web sessions, including keylogging, credential theft, cookie exfiltration, and process hooking.
In the recent campaign the researchers observed a new version of Qbot targeting 36 U.S. financial institutions (JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, FirstMerit Bank and others), as well as two banks in Canada and the Netherlands.
According to F5 Labs, the new Qbot variant has been equipped with new detection and research-evasion techniques.
“It has a new packing layer that scrambles and hides the code from scanners and signature-based tools.It also includes anti-virtual machine techniques, which helps it resist forensic examination.” the researchers wrote.
Here’s how the new Qbot infection typically occurs on a targeted computer:
1. Qbot is loaded into the running explorer.exe memory from an executable introduced via phishing, an exploit’s dropper, or an open file share.
2. Qbot copies itself into the application folder’s default location, as defined in the %APPDATA% registry key.
3. Qbot creates a copy of itself in the specific registry key
4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots.
5. Qbot drops a .dat file with a log of the system information and the botnet name.
6. Qbot executes its copy from the %APPDATA% folder and, to cover its tracks, replaces the originally infected file with a legitimate one.
7. Lastly, Qbot creates an instance of explorer.exe and injects itself into it. The attackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.
“Qbot has been around for a dozen years with pretty much the same functionality. The targets changed and features were added, but it’s still primarily about keylogging and, secondarily, about extracting a victim’s personal data. As Qbot waxes and wanes in popularity with attackers, it is hard to gauge its overall impact on a global scale. However, it is still a viable threat for defenders to be aware of,” the researchers concluded.