The year has been of a resurgence when it comes to malware. In this blog, we take a look at yet another malware that has made its return to tormenting financial institutions. A malware that has been around since 2007 and known by various names like Pinkslipbot, Qakbot, Quakbot has resurfaced with a new name and a new version, Qbot. This malware persists with its core functionalities of being a keylogger and data stealer.
The core functionality of this malware hasn’t changed much since the time it started as malware with backdoor capabilities but it surely has added more capabilities to its list.
Earlier this month a Qbot campaign targeted 36 different financial institutions across the United States and a couple in Canada and Netherlands. This campaign was executed to steal credentials and financial data from the customers as well as log user keystrokes and to deploy backdoors on compromised machines.
The latest version of the malware is armed with evasive techniques and a new layer that scrambles and hides the codes from the scanner and signature-based tools. It also includes anti-virtual machine techniques to resist forensic examination.
The Qbot malware was looking for a specific financial service to harvest credentials by watching victims’ web traffic. The main attack method used in these campaigns was browser hijacking.
Given the Qbot can quickly spread through connected networks and create a wide-spread incident, attackers have often been using exploit kits to drop the malware on their target machines.
Earlier in May of this year, due to the Trojan Qbot, a new ransomware strain called ProLock gained access to a hacked network. The Trojan might target, healthcare organizations, government entities, financial and retail organizations. While in December last year operators of Spelevo Ek launched a social engineering tactic to download and execute additional malware payload of Qbot from the decoy adult sites.
According to our security experts, users should always update their antivirus software, apply critical patches, and inspect encrypted traffic. To block or detect backdoor server communications with remote client applications, a firewall or an IDS is advised to be used.
To read more, please check eScan Blog