Qbot Continues Stealing Vulnerable Passwords

Dozens of malware families appear every day. Many of them are written by less capable hackers and are not that difficult to protect against which means that usually, they fail to make any sort of significant impression and are gone within a couple of days. Other malware campaigns are better organized and longer-lived, operating for anything from a few weeks to a couple of years. Very few families are going strong more than a decade after they first appeared, though. Quakbot, also known as Qbot, is one of them.

Qbot – a resilient enterprise-grade malware

You're unlikely to find Qbot on your home PC. Ever since its first appearance in 2008, it has been targeting organizations and companies. One of the features that make it particularly nasty is its worm-like ability to move around a corporate network through shared drives and removable storage devices.

The range of malicious activities it can perform is also impressive. In 2017, for example, it made the headlines when it locked hundreds of employees of different organizations out of their Active Directory accounts. Experts have also seen Qbot display information stealing and keylogging capabilities, but it's fair to say that its primary function has always been pilfering organizations' login credentials with the goal of draining their bank accounts. According to a report from Cisco's Talos team, in early April, Qbot's operators launched the latest in a long line of campaigns and used it as an opportunity to showcase the malware's clever new features.

A sophisticated infection chain makes Qbot an even more formidable threat

When they saw an uptick in Qbot's activity, Cisco's researchers quickly got their hands on a sample and found out that the criminals haven't really updated the malware's core functionality all that much. Instead, Qbot's operators have changed the way the banking trojan invades an organization's network and have added some detection evasion mechanisms that make it all the more dangerous.

First, a dropper creates a scheduled task which executes a JavaScript downloader located in the ProgramData folder and disguised as a Windows Media Player playlist file. The downloader queries a list of hijacked domains and looks for a specific PHP file which tells it where to look for the payload.

At this point, the downloader could just download and execute the malware, but that would increase the chances of detection, which is why, for this campaign, the criminals divided the Qbot trojan into two separate files with a .zzz extension, with the first 1,000 bytes contained in the first file, and the rest put in the second one. Another scheduled task executes a batch file which reassembles the trojan and runs it.

Splitting the payload into two separate files rather than trying to mask all the malicious code in a single binary was a very clever move on the hackers' part. Cisco's experts reckon that this alone could be enough to fool some security products, and thanks to some additional obfuscation techniques, the chances of detection are even lower. Unfortunately, this all suggests that although it's now more than ten years old, Qbot is definitely here to stay.