Qbot, also known as Qakbot or QuakBot, has returned to light-speed attacks, stealing sensitive data only 30 minutes after the initial infection. Qbot is a modular banking trojan that has been around since at least 2007, but in that time has been modified and developed to be more than just a simple banking trojan, with additional features including the ability to act as a delivery agent for ransomware.
Qbot is typically delivered via phishing emails with an Excel document attached that contains a malicious macro. Upon execution, this macro drops the DLL loader on to the target system and executes it. Qbot will first inject into the msra.exe process to help evade detection by using a built-in Windows binary to perform additional activity. The malware also attempts to add itself to the Windows Defender exclusions list via the Registry to prevent the anti-malware system from removing it. Qbot will also attempt to escalate privileges by creating a scheduled task to run itself as SYSTEM a few minutes after the task creation is complete.
From there, Qbot attempts to steal sensitive information on the system, including email threads to be used for further phishing attacks and Windows credentials stored in memory. Qbot will then attempt to laterally move within the network, using the stolen Windows credentials to execute itself on other workstations by creating a remote service to execute its DLL payload.
Analysis of an active campaign using this version of Qbot has seen information stolen from the victim in around 30 minutes and successful lateral movement in 50 minutes, showing just how rapid Qbot is in achieving its objectives.