July 29, 2022
QBot Malware: What Is It and How Does It Work
QBot, also known as Qakbot, QBot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a dangerous and persistent threat to organizations and has become one of the leading Banking Trojans globally.
To this day, QBot continues to grow and develop, with more capabilities and new techniques. Its main purpose is to steal banking data (banking credentials, online banking session information, victim’s personal details, etc.). However, its developers have also developed functionalities that allow QBot to spread itself, evade detection and debugging, and install additional malware on compromised machines, such as Cobalt Strike, REvil, ProLock, and Egregor ransomware.
Qbot uses multiple attack vectors to infect victims. QBot is distributed through phishing emails containing malicious documents, attachments, or password-protected archives with the documents attached. Some versions of the malware were observed being distributed by a dropper, such as Emotet.
Typical QBot malicious activity observed in the wild
Collecting information about the compromised host
Stealing credentials (from browser data and cookies)
Targeting web banking links
Registry manipulation and creating scheduled tasks (for persistence)
Laterally moving through the network
The infection chain of recent QBot attacks
Malicious actors deliver a phishing email with a ZIP attachment containing an office file with embedded XL4M macros or the document itself. The email is designed to deceive the victim and convince them to open it. Upon opening the malicious attachment, the user is tricked into clicking “Enable content” so that the macros are executed.
The macro creates the directory “C:\Merto\Byrost” and attempts to download the payload via HTTP ‘GET’ requests to the URLs hidden within the document in protected and hidden sheets. If successful, it saves the payload in that directory and executes it via regsvr32.
The payload has encrypted resources which are decrypted later during runtime.
The configuration settings are retrieved from another resource.
Another infection chain that was recently observed was the use the Follina exploit to deliver QBot. These recent campaigns begin with email thread hijacking and the delivery of an HTML attachment.
Once the attachment is opened, an archive file (ZIP) with a disk image file (IMG) inside is dropped, containing an Office document, a shortcut file (.LNK) which executes the DLL, and a DLL file, which is the QBot payload.
The Office document will load and execute an HTML file (which it retrieves from a remote server) containing PowerShell abusing the Follina exploit. This is used to download and execute QBot. This approach covers 2 different ways of infecting the user’s PC with QBot, hoping the user will fall for one of them.
QBot goes through multiple layers of unpacking to deploy its final payload, starting from the downloaded DLL execution via regsvr32.exe. It implements multiple encryption schemes and anti-analysis techniques, such as the use of a dynamic import table and encrypting strings, to conceal its functionality and data from the victims and anti-virus vendors.
Upon successfully decrypting its payload, QBot will enumerate all processes and search for processes known for protecting its user from malicious activity.
It will also check if it is running on a VM, by using the CPUID instruction and checking on what system the machine runs. Some QBot versions also check if it is running in a VM by looking for a VMWare port existence. In VMWare, communication with the host machine is done through a specific port (5658), so QBot tries to detect VMWare by reading from this port.
After the anti-analysis checks, if QBot decides it is running in a VM, it will exit the process and won’t decrypt the final payload. Otherwise, it would load and decrypt the code from its resources and inject itself into a newly spawned explorer.exe instance.
QBot constructs its configuration out of 2 embedded resources- “102” and “103”, which are RC4 decrypted on runtime.
QBot malware resources - 102 and 103
The resource “102” contains a list of 150 command and control (C&C) servers, and “103” is the initial configuration data.
"Bot id": "obama182",
QBot configuration data - campaign (obama182) and version
The reason there are many C&C servers is that these are proxies of infected bots acting as intermediate nodes between the victim and the real C&C, hiding the attacker’s infrastructure.
QBot immediately tries to escalate privileges by creating this scheduled task:
The created task name is “ltprdtke”, which executes the command ”regsvr32.exe -s \"C:\Merto\Byrost\Veonse.OOOCCCXXX\” only once, with system privileges.
It also initiates communications with its C&C servers, as they appear in the configuration file. Both directions of communication with the C&C are obfuscated and encrypted. QBot also caches data in the Windows Registry in an encrypted format, in a key it creates during the infection process.
QBot performs several activities including reconnaissance activity such as performing an ARP scan of the entire IP address range, which is used to identify other active hosts on the network, presumably to look for a way to move laterally to other machines on the network.
ARP Scan for different IP addresses on the network
How to protect against QBot?
QBot is still a dangerous malware and it seems like the threat group behind it keeps evolving its techniques throughout the years. As it is typically delivered via phishing emails, the most effective way to protect against this malware is with Advanced Threat Protection for email. Datto SaaS Defense, Datto’s Advanced Threat Protection for the Microsoft 365 suite, protects against phishing and multiple types of malware. Its data-independent technology scans email attachments, links and content to detect unknown threats at first encounter before they reach the end-user.
Schedule a demo to learn how SaaS Defense can help you protect your clients’ from the most advanced cyber attacks.