Qbot — also known as Qakbot — is a form of malware that’s been around for a number of years, but security researchers at Cisco Talos have noted that it has returned with a vengeance. Once installed the malware steals sensitive data stored in files and cookies, and also monitors live web sessions to grab login credentials.
Detection and immunization is made difficult thanks to the fact that Qbot uses random strings, code blocks, file names and encryption keys to slip under the radar, although it can still be detected by its behavior. Cisco Talos analyzed no fewer than 618 examples of the malware; Qbot was found to feature its own auto-update function and it appears that developers have been hard at work on it.
The latest versions of Qbot include Webinjects, meaning that it can inject malicious code into browsing sessions. Cisco Talos explains that “Webinjects can be very powerful, in some cases automating large banking transactions without any interaction from the user”. Qbot doesn’t go quite this far, but does use a browser redirect to prevent users from logging out of online banking sessions. The thinking here is that it provides more time to ferret around for valuable data in session cookies which can later be exploited.
You may scoff at the notion of malware with an auto-update function, but it’s something that Qbot takes full advantage of. Cisco Talos says that development seems to have slowed of late, but in the first couple of months of the year new versions were being pushed out several times a day. Having analyzed a number of binaries associated with the malware, researchers came to the conclusion that this was a highly organized operation that was apparently being treated like a full time job:
The unpacked binaries all have compile times between 6am and 8pm GMT. This time distribution looks more like a full-time job than a side project. The packed binaries have compile times with a lot more variance, suggesting the packing is either done by another person with a much more flexible schedule or with the assistance of some kind of automation. Developing source code requires a lot more experience than running a packing tool, so packing could be done by less technically skilled members of the team.
The packed compile times mostly fall between 8am and 10pm GMT, 2 hours shifted from the average work day for the unpacked samples. If the packing process was completely automated, we would expect to see these compile times distributed more randomly (with some binaries compiled between midnight and 6am) or with a predictable schedule such as once a day at a specific time.
The systematic approach to malware writing and updating is almost impressive, but also worrying. There is a lot of money to be made from stealing login credentials, so it is perhaps not surprising that criminals are willing to put so much effort into their coding. When it comes to keeping safe, Cisco Talos says:
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.