Investigators security of F5 Labs they found attacks with Qbot malware payloads, aimed at theft credentials customers of dozens of their banks USA. Qbot (also known as Qakbot, Pinkslipbot and Quakbot) is one banking trojan with possibilities “worm“. Used for theft bank credentials and financial data. At the same time it is able to monitor the typing users (keylogging) and to installs backdoors and other malware to further infect infringing machines.
People who have fallen victim to Qbot banking trojan are customers of the following well-known banks (but also others): JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo and FirstMerit Bank.
Overall, the Qbot campaign aims 36 of their different financial institutions USA, as well as two banks in Canada and the Netherlands.
Qbot: An old one banking trojan with new features!
Qbot has been used since at least 2008. Its core hasn't changed much, however, the latest specimens discovered by researchers of F5 Labs, include a set new features.
The new versions of Qbot trojan are designed to identify and avoid arrest and analysis by researchers security.
Qbοt has the ability to hides his code by scanners and more tools. Malware also has anti-virtual machine techniques, which also make it difficult to analyze.
The malware delivered to target computers mainly with browser hijacks (redirects).
As soon as it enters the victim's machine, Qbot is loaded into the memory of explorer.exe process and copied to the% APPDATA% folder.
After copying, malicious software will be introduced to a new explorer.exe process.
“As Qbot monitors the victim's web traffic"he is looking for specific financial services from which he will collect credentials", the analyst explained.
Attackers often use exploit kits to install Qbot malicious payloads on their target machines while bot will then infect others Appliances on the same network through exploits and brute-force attacks targeting Active Directory administrator accounts.
This banking trojan is mostly used in targeted attacks in corporate entities that can offer a lot of profits to its operators.
For this reason, many Qbot campaigns have not been identified, although trojan has been used for over 10 years. The researchers had identified one campaign in October 2014, one in April 2016 and another in mid-May 2017.
Qbot is also said to have been used more recently than gang Emotet, in the early stages of the attack.
More details on the new Qbot campaign can be found at F5 Labs report.