Qbot Banking Malware Can Infect Cybersecurity Firms

A new strain of Qbot malware is spying on corporations around the world to steal their financial information and has even infected multiple cybersecurity vendors, according to information security firm Varonis. Varonis has not named the affected cybersecurity vendors, but it says thousands of businesses have been compromised and are under active control by the cybercriminals.
 
Attackers have used a new variant of a banking malware known as Qbot, which first appeared in 2009. The strain is polymorphic, meaning it can rapidly mutate to stay ahead of anti-virus systems.
 
“One of the more interesting things about this strain is its evasion techniques: it scans AVs (anti-virus software) on the system, it looks for monitoring tools, and tries to stay undetected,” says Snir Ben Shimol, director of cybersecurity at Varonis.
 
“The malware is also using a vast variety of legit certifications to sign the malicious executables to evade detection. Moreover, it is constantly changing and evolving, adding new tools to its arsenal and making it harder for the defenders to detect and analyse it.”
 
Varonis says it found 2,726 unique victim IP addresses but warns that number could be far higher because many organisations mask their internal IP addresses.
 
“From what we can tell, affected companies include Fortune 500 and mid-size corporations, as well as their service providers. Another interesting fact is we found big security vendors in the list of victims,” Shimol told Verdict.
Around 1,750 of these victims are located in the US. In a distant second place, the UK has roughly 75 victims.
Although Qbot appears to be actively targeting US corporations, there are victims throughout Europe, South America, Asia and Africa. The amount of money stolen is unknown.
 
How does Qbot malware steal financial details?
This new campaign seems to have started around November 2018. Varonis initially became aware of it after Varonis DatAlert warned one of the company’s North American customers of suspicious activity.
Varonis researchers analysed the findings and identified the malware as a new variant of Qbot, which has also gone by the name Qakbot, Pinkslip or Pinkslipbot.
 
The banking Trojan is most likely downloaded when victims visit an infected webpage.
Once in place, it spreads by copying itself to shared folders and removable drives.
In this version of Qbot, the first infection of a network is carried out by a phishing email that entices victims to click on a malicious zip file. It is unknown if the infected cybersecurity vendors unwittingly played any part in spreading the Qbot malware.
 
“Basically the attacker sends enticing emails to the victims that contain malicious code or a link to download the first dropper,” explains Shimol.
 
“After infecting the first victim at an organisation, the malware uses different brute-force attack techniques to try and laterally
move in the network.”
 
The main goal of the malware is to steal money. It does so by capturing every keystroke on an infected device and sends them to the cybercriminals. It can also send victim’s cookies and exploit APIs to extract financial information. May 2017 saw a resurgence of Qbot, which saw hundreds to thousands of victims locked out of their company’s domain, leaving affected organisations unable to access servers, endpoints and network assets.
 
Who is behind the Qbot strain?
Shimol says that they don’t know anything about the origin of the attacker or their motives.
 
“According to the information we’ve analysed, there are some indicators that parts of the attacker’s infrastructures were placed within Russia,” he said.
 
“However, there is no additional information about the attacker’s identities, other than their motivation to target specific financial institutions globally.”
 
Varonis tracked down the attacker’s server. From their analysis, they discovered a list of victim IP addresses, operating system details and anti-virus product names. It showed how the new Qbot strain has infected at least 14,687 devices with the Windows 10 Enterprise operating system, 13,209 Windows 10 Pro and 13,042 Windows 7 Pro.
 
The Qbot malware was able to bypass 46,438 Windows Defender anti-virus products, as well as thousands using McAfee and Symantec.
 
How to avoid it and what to do if you’re infected
The easiest way to avoid being infected is to stay away from phishing emails.
 
“Don’t open suspicious attachments, don’t click suspicious links, alert your SOC team for any unusual activity,” says Shimol.
 
“If you suspect that you are infected, use an AV product to scan the PC, and, as a SOC team, monitor the IOCs that are in the report.”
 
Shimol shared these five steps with Verdict that companies can follow:
 
1. Look for suspicious external emails containing Microsoft office attachments or URLs to unknown websites
2. Check for abnormal amounts of lockouts or login failures particularly for privileged accounts
3. Look for abnormal web traffic and direct download requests from your endpoints
4. Identify abnormal amounts of devices being access by accounts within the network
5. Use the IOCs to detect related files, IPs of the threat actors
 
Varonis says that it has shared its findings – including non-public information – with the appropriate authorities. 
 
 
You Might Also Read:

The Top 5 Malware Attack Types:

 
« Knowing How Your Data Behaves Is The Key To Cybersecurity
Bank of England Testing Banks' Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

SolarWinds

SolarWinds

SolarWinds as a worldwide leader in solutions for network and IT service management, application performance, and managed services.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

Cyber Risk Policies

Cyber Risk Policies

CyberRiskPolicy.com is a joint venture between the Poindexter Surety Group of companies and Gibbs Cyber Security.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

CTM360

CTM360

CTM360® is a Cyber Security subscription service offering 24 x 7 x 365 Cyber Threat Management for detecting and responding to cyber threats.

RCDevs

RCDevs

RCDevs is an award-winning Software company providing security solutions designed for modern enterprise technologies and suited for SMEs to large corporations.

Uleska

Uleska

Uleska is a scalable platform that provides automated and continuous software security testing whilst translating cyber risk.

European Cyber Security Conference

European Cyber Security Conference

EU Cyber Security Conference will debate what Europe’s response to evolving threats in a dynamic global risk landscape should look like and what the next steps for all actors of the ecosystem.

Tech Nation

Tech Nation

Tech Nation is the UK’s first national scaleup programme for the cyber security sector, aimed at ambitious tech companies ready for growth, at home and abroad.

Kasada

Kasada

Kasada provides bot detection and mitigation for enterprise web applications. Stop the bots before they reach your site and web applications.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

Riskonnect

Riskonnect

Riskonnect technology empowers organizations with the ability to anticipate, manage, and respond in real-time to strategic, operational, and digital risks across the extended enterprise.

Aceiss

Aceiss

Aceiss empowers access security, providing unprecedented visibility and insights into user access.

Xcelerate Solutions

Xcelerate Solutions

Xcelerate Solutions is a leading defense and national security company, providing integrated solutions in three service areas – Enterprise Security, Digital Transformation, and Strategic Consulting.

SCS Technology Solutions

SCS Technology Solutions

SCS Technology Solutions has become the preferred partner for top performing organisations across Lincolnshire for IT support and consultancy.