New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Qbot Needs Only 30 Minutes to Steal Your Credentials, Emails

Qbot, also known as Qakbot or QuakBot, has returned to light-speed attacks, stealing sensitive data only 30 minutes after the initial infection. Qbot is a modular banking trojan that has been around since at least 2007, but in that time has been modified and developed to be more than just a simple banking trojan, with additional features including the ability to act as a delivery agent for ransomware.

Qbot is typically delivered via phishing emails with an Excel document attached that contains a malicious macro. Upon execution, this macro drops the DLL loader on to the target system and executes it. Qbot will first inject into the msra.exe process to help evade detection by using a built-in Windows binary to perform additional activity. The malware also attempts to add itself to the Windows Defender exclusions list via the Registry to prevent the anti-malware system from removing it. Qbot will also attempt to escalate privileges by creating a scheduled task to run itself as SYSTEM a few minutes after the task creation is complete.

From there, Qbot attempts to steal sensitive information on the system, including email threads to be used for further phishing attacks and Windows credentials stored in memory. Qbot will then attempt to laterally move within the network, using the stolen Windows credentials to execute itself on other workstations by creating a remote service to execute its DLL payload.

Analysis of an active campaign using this version of Qbot has seen information stolen from the victim in around 30 minutes and successful lateral movement in 50 minutes, showing just how rapid Qbot is in achieving its objectives.

Analyst Notes

Since Qbot’s main infection point is malicious Office documents delivered via phishing emails, it is highly recommended to maintain good email security filtering and controls, including attachment scanning and sandboxing, to help prevent these documents from reaching end users. It is also recommended to disable macro execution of Office documents if possible, or if not, disable macros unless digitally signed by a trusted publisher. These steps will go a long way in preventing many families of malware beyond just Qbot from infecting a system. Microsoft has recently announced that they will make changes in several Microsoft Apps to prevent macros downloaded from the Internet from executing, which will also help tremendously in stopping malware from infecting a system. Furthermore, maintaining appropriate security controls and logging on endpoints can help detect malware infections such as this. Monitoring for abnormal process chains, suspicious network callouts, and unusual Registry modifications can help detect malicious behavior occurring on a system. Binary Defense’s Managed Detection and Response service is a great asset to assist with these types of detection needs.