Qbot Banking Malware Can Infect Cybersecurity Firms

A new strain of Qbot malware is spying on corporations around the world to steal their financial information and has even infected multiple cybersecurity vendors, according to information security firm Varonis. Varonis has not named the affected cybersecurity vendors, but it says thousands of businesses have been compromised and are under active control by the cybercriminals.
 
Attackers have used a new variant of a banking malware known as Qbot, which first appeared in 2009. The strain is polymorphic, meaning it can rapidly mutate to stay ahead of anti-virus systems.
 
“One of the more interesting things about this strain is its evasion techniques: it scans AVs (anti-virus software) on the system, it looks for monitoring tools, and tries to stay undetected,” says Snir Ben Shimol, director of cybersecurity at Varonis.
 
“The malware is also using a vast variety of legit certifications to sign the malicious executables to evade detection. Moreover, it is constantly changing and evolving, adding new tools to its arsenal and making it harder for the defenders to detect and analyse it.”
 
Varonis says it found 2,726 unique victim IP addresses but warns that number could be far higher because many organisations mask their internal IP addresses.
 
“From what we can tell, affected companies include Fortune 500 and mid-size corporations, as well as their service providers. Another interesting fact is we found big security vendors in the list of victims,” Shimol told Verdict.
Around 1,750 of these victims are located in the US. In a distant second place, the UK has roughly 75 victims.
Although Qbot appears to be actively targeting US corporations, there are victims throughout Europe, South America, Asia and Africa. The amount of money stolen is unknown.
 
How does Qbot malware steal financial details?
This new campaign seems to have started around November 2018. Varonis initially became aware of it after Varonis DatAlert warned one of the company’s North American customers of suspicious activity.
Varonis researchers analysed the findings and identified the malware as a new variant of Qbot, which has also gone by the name Qakbot, Pinkslip or Pinkslipbot.
 
The banking Trojan is most likely downloaded when victims visit an infected webpage.
Once in place, it spreads by copying itself to shared folders and removable drives.
In this version of Qbot, the first infection of a network is carried out by a phishing email that entices victims to click on a malicious zip file. It is unknown if the infected cybersecurity vendors unwittingly played any part in spreading the Qbot malware.
 
“Basically the attacker sends enticing emails to the victims that contain malicious code or a link to download the first dropper,” explains Shimol.
 
“After infecting the first victim at an organisation, the malware uses different brute-force attack techniques to try and laterally
move in the network.”
 
The main goal of the malware is to steal money. It does so by capturing every keystroke on an infected device and sends them to the cybercriminals. It can also send victim’s cookies and exploit APIs to extract financial information. May 2017 saw a resurgence of Qbot, which saw hundreds to thousands of victims locked out of their company’s domain, leaving affected organisations unable to access servers, endpoints and network assets.
 
Who is behind the Qbot strain?
Shimol says that they don’t know anything about the origin of the attacker or their motives.
 
“According to the information we’ve analysed, there are some indicators that parts of the attacker’s infrastructures were placed within Russia,” he said.
 
“However, there is no additional information about the attacker’s identities, other than their motivation to target specific financial institutions globally.”
 
Varonis tracked down the attacker’s server. From their analysis, they discovered a list of victim IP addresses, operating system details and anti-virus product names. It showed how the new Qbot strain has infected at least 14,687 devices with the Windows 10 Enterprise operating system, 13,209 Windows 10 Pro and 13,042 Windows 7 Pro.
 
The Qbot malware was able to bypass 46,438 Windows Defender anti-virus products, as well as thousands using McAfee and Symantec.
 
How to avoid it and what to do if you’re infected
The easiest way to avoid being infected is to stay away from phishing emails.
 
“Don’t open suspicious attachments, don’t click suspicious links, alert your SOC team for any unusual activity,” says Shimol.
 
“If you suspect that you are infected, use an AV product to scan the PC, and, as a SOC team, monitor the IOCs that are in the report.”
 
Shimol shared these five steps with Verdict that companies can follow:
 
1. Look for suspicious external emails containing Microsoft office attachments or URLs to unknown websites
2. Check for abnormal amounts of lockouts or login failures particularly for privileged accounts
3. Look for abnormal web traffic and direct download requests from your endpoints
4. Identify abnormal amounts of devices being access by accounts within the network
5. Use the IOCs to detect related files, IPs of the threat actors
 
Varonis says that it has shared its findings – including non-public information – with the appropriate authorities. 
 
 
You Might Also Read:

The Top 5 Malware Attack Types:

 
« Knowing How Your Data Behaves Is The Key To Cybersecurity
Bank of England Testing Banks' Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Q-CERT

Q-CERT

Q-CERT is the National Computer Security Emergency Team of Qatar.

CLUSIS

CLUSIS

CLUSIS is an association for the information security industry in Switzerland.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

TI Safe

TI Safe

TI Safe provide cybersecurity solutions for industrial networks of main critical infrastructures in Latin America.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

Cyber Security & Cloud Expo

Cyber Security & Cloud Expo

The Cyber Security & Cloud Expo is an international event series in London, Amsterdam and Silicon Valley.

ValidSoft

ValidSoft

ValidSoft is a security software company, providing telecommunications-based multi-factor authentication, identity and transaction verification technology.

CISO Global

CISO Global

CISO Global (formerly Cerberus Sentinel) are on a mission to demystify and accelerate our clients’ journey to cyber resilience, empowering organizations to securely grow, operate, and innovate.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Prima Cyber Solutions (PCS)

Prima Cyber Solutions (PCS)

Prima Cyber Solutions is focused on protecting your business from the massive and devastating impacts that cyber-attacks may cause.

Valency Networks

Valency Networks

Valency Networks provide cutting edge results in the areas of Vulnerability Assessment and Penetration Testing services for webapps, cloud apps, mobile apps and IT networks.

Cyberwatch Finland

Cyberwatch Finland

Cyberwatch Finland's services improve decision-makers’ strategic situational picture and enable successful holistic cyber risk management.

Google Safety Engineering Center (GSEC)

Google Safety Engineering Center (GSEC)

GSEC Málaga is an international cybersecurity hub where Google experts work to understand the cyber threat landscape and to create tools that keep users around the world safer online.