The Qbot Trojan has been plaguing computer users and businesses for over a decade and the cyber criminals behind it are still coming up with new tricks that keep it one of the most prevalent and successful malware threats.
The latest technique observed by security researchers involves the malware inserting itself into the legitimate email threads of their victims to spread.
Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan focused on stealing online banking credentials, but has since evolved into a "Swiss Army knife" that's used for a variety of purposes including distributing ransomware, according to researchers from security firm Check Point Software Technologies who tracked the malware's latest campaigns.
Toward the end of last month, a new Qbot variant started being distributed by another Trojan called Emotet as part of a new spam campaign that affected many organisations worldwide. That new variant exhibited new features and a new command-and-control infrastructure. This continued with a renewed Qbot distribution campaign earlier this month.
"One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim's Outlook client, and uploads it to a hardcoded remote server," the Check Point researchers said in a new report.
"These stolen emails are then utilised for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation."
The company has seen hijacked email threads in which Qbot inserted itself with subjects related to the Covid-19 pandemic, tax reminders and job recruitments.
A third of the organisations targeted in the new campaigns were from the US, but organisations from Europe were also heavily affected. The most targeted industries were government, military, manufacturing, insurance, legal, healthcare and banking.
How Qbot spreads
The Qbot infection chain is not very sophisticated and has changed since April. In the past, spam emails that delivered Qbot used malicious documents with macros, but now they contain URLs to a .zip file that has a downloader script inside written in VBScript (VBS).
These type of scripts used to execute natively on Windows in the context of Internet Explorer as it's a scripting language developed by Microsoft, but it has been deprecated since last year after being abused by attackers for years. However, attackers know that many businesses still use old versions of Windows and Internet Explorer that are lacking the latest security features and updates.
The VBS downloader used by Qbot has routines that detect virtual machines and analysis sandboxes and pulls an .exe payload from six hardcoded URLs. If the payload executes successfully, it deploys the Qbot malware on the computer.
The most noteworthy and newest part of the Qbot distribution chain is the email thread hijacking, which gives increased credibility to the spam emails. The examples provided by Check Point include an email thread about business continuity during Covid-19, a topic many organisations are likely to be interested in.
Another one was a reply to a emailed job recruitment seeking a developer with experience in C#, Java and PowerShell. The URLs inside the rogue emails pointed to .zip files hosted on hacked WordPress sites.
Qbot’s modular architecture
The Qbot malware is modular with individual components that handle different features. New modules the Check Point researchers identified include:
- A module used for communicated with command-and-control servers and executing commands received from it
- An email collector module to steal email threads from Outlook
- A hooking module to inject web forms into browsing sessions
- A password stealer module
- A VNC plug-in that allows attackers to open remote desktop connections to victims' computers
- A cookie grabber module that steals authentication cookies from browsers that can then be used to hijack sessions
- An updater module
- A proxy module
"Once the victim has been infected, their computer is compromised, and they are also a potential threat to other computers in the local network because of Qbot's lateral movement capabilities," the researchers said. "The malware then checks whether the victim can also be a potential bot as part of Qbot’s infrastructure."
The new findings highlight that Qbot remains a dangerous threat, possibly even more so than it was before. It's unlikely that the Trojan will disappear anytime soon as the cyber criminals controlling it remain interested in developing it and adding new features and techniques.
Organisations should pay increased attention to infections with bots like Emotet or Qbot because they are used as distribution platforms for other malware and often serve as the gateway for ransomware into corporate networks.