Security researchers at many security service providers, including F5 Labs and Binary Defense have been tracking continued attacks that use Qbot malware payloads to steal credentials from dozens of US-based banks, plus some banks in Canada and the Netherlands. Qbot (also known as Qakbot or Pinkslipbot) is a banking trojan with lateral movement capabilities used to steal banking credentials and financial data, log user keystrokes, deploy backdoors and install other malware on infected machines. In total, the current Qbot campaign is targeting 36 different US financial intuitions that include JP Morgan, Citibank, Bank of America, Citizens, Capitol One, Wells Fargo, and FirstMerit Bank. Qbot, which has been active since around 2008, hasn’t changed its core much, but has added some new features. The new version is designed to detect and evade being captured and analyzed by security researchers. It also has a packing layer that scrambles and hides the code from scanners and signature-based tools such as anti-virus. It also contains anti-virtual machine features that helps it resist forensic examination. Additionally, there’s an assortment of modules available for use by Qakbot including a modified Gozi hVNC (hidden VNC) module as well as a password stealer, mail stealer, cookie stealer and more. Qbot is primarily being delivered through malicious spam email messages sent via infected computers (bots) through compromised email server accounts. The payloads that deliver Qbot change between macro-laden Microsoft Office files (Word, typically), and Visual Basic (VB) script files inside zip archive files. Some bots are “promoted” to be used as Command and Control (C2) servers, causing the list of servers to change on a daily basis as bots are added and removed.