Threat Watch

Qbot Campaign Targets US Banking Customers

Security researchers at many security service providers, including F5 Labs and Binary Defense have been tracking continued attacks that use Qbot malware payloads to steal credentials from dozens of US-based banks, plus some banks in Canada and the Netherlands. Qbot (also known as Qakbot or Pinkslipbot) is a banking trojan with lateral movement capabilities used to steal banking credentials and financial data, log user keystrokes, deploy backdoors and install other malware on infected machines. In total, the current Qbot campaign is targeting 36 different US financial intuitions that include JP Morgan, Citibank, Bank of America, Citizens, Capitol One, Wells Fargo, and FirstMerit Bank. Qbot, which has been active since around 2008, hasn’t changed its core much, but has added some new features. The new version is designed to detect and evade being captured and analyzed by security researchers. It also has a packing layer that scrambles and hides the code from scanners and signature-based tools such as anti-virus. It also contains anti-virtual machine features that helps it resist forensic examination. Additionally, there’s an assortment of modules available for use by Qakbot including a modified Gozi hVNC (hidden VNC) module as well as a password stealer, mail stealer, cookie stealer and more. Qbot is primarily being delivered through malicious spam email messages sent via infected computers (bots) through compromised email server accounts. The payloads that deliver Qbot change between macro-laden Microsoft Office files (Word, typically), and Visual Basic (VB) script files inside zip archive files. Some bots are “promoted” to be used as Command and Control (C2) servers, causing the list of servers to change on a daily basis as bots are added and removed.


Protecting against browser hijacking is challenging. Although Qbot often evades detection by anti-virus programs, it is still a good idea to keep anti-virus updated because it can catch many common malware threats. It is also advisable to avoid using freeware that hasn’t been thoroughly tested, although that won’t help defend against Qbot because it is distributed via malicious email messages. Common sense applies when receiving emails—if the email doesn’t look right, use extreme caution and don’t open attachments or linked files. Defenders should watch for end users running unexpected Visual Basic (VB) script files using wscript.exe and change the default program for opening VB and JS files to Notepad, which will avoid users being tricked into executing scripts by double-clicking them. Using a service such as Binary Defense Managed Detection and Response (MDR) can help secure systems. One of the changes that Qbot made is that when it detects the Binary Defense MDR software running, it kills itself.

To read more: