There is no cease-fire in the continuing battle against malware. Qbot, a banking trojan malware active since 2008, is back in business with new functions and new stealth capabilities. In the past 12 years, this malware has gone by a handful of names, including Qakbot and Pinkslipbot.
Despite all the variations and evolutions, Qbot’s main goal has remained the same: collect browsing activity and steal bank account credentials and other financial information. Attackers usually infect victims using phishing techniques to lure victims to websites that use exploits to inject Qbot via a dropper. It does this through a combination of techniques that subvert the victim’s web sessions, including keylogging, credential theft, cookie exfiltration, and process hooking.
Previously, Qbot also used worm self-replication techniques to copy itself over shared drives and removable media. Qbot is still Windows-based, but this latest version adds both detection and research-evasion techniques. It has a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also includes anti-virtual machine techniques, which helps it resist forensic examination. However, that didn’t deter us analyzing its new capabilities and documenting the infection flow.
Qbot’s Infection Process
Here’s how the new Qbot infection typically occurs on a targeted computer:
- Qbot is loaded into the running explorer.exe memory from an executable introduced via phishing, an exploit’s dropper, or an open file share.
- Qbot copies itself into the application folder’s default location, as defined in the %APPDATA% registry key.
- Qbot creates a copy of itself in the specific registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots.
- Qbot drops a .dat file with a log of the system information and the botnet name.
- Qbot executes its copy from the %APPDATA% folder and, to cover its tracks, replaces the originally infected file with a legitimate one.
- Lastly, Qbot creates an instance of explorer.exeand injects itself into it. The attackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server.
Qbot Web Banking Target List
Our latest analysis of several sample of the malware from this year showed that Qbot’s focus is on banks in the United States. This appears to be a dedicated campaign with a browser hijack, or redirection, as the main attack method when the machine is infected. As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials. We found specific strings within Qbot that targeted financial institutions, as shown in Table 1.
| Target | Locale |
| https:/cmserver/logout.cfm* | Any |
| https://express.53.com/express/logoff.action* | U.S. |
| https://businessaccess.citibank.citigroup.com/cbusol/quit.do* | U.S. |
| https://businessaccess.citibank.citigroup.com/cbusol/signOff.do* | U.S. |
| https://singlepoint.usbank.com/cs70_banking/logon/sbbExit/logout.do* | U.S. |
| https:/wcmfd/wcmframework/TrapFunctionality?functionalityURL=/wcmfd/wcmframework/Signoff* | Any |
| https:/TMConnectWeb/cgi-bin/logoutconfirm.cgi* | Any |
| https:/cmserver/logout.cfm* | Any |
| https://weblink.websterbank.com/weblink/logout.asp* | U.S. |
| https:/exit.asp* | Any |
| https://*.secure.fundsxpress.com/piles/fxweb.pile/exit* | U.S. |
Table 1. Financial institutions Qbot targets.
Regional Targeting by Qbot
Analysis of the latest Qbot campaign shows that it is mainly focused on the United States (see Figure 1), targeting approximately 36 U.S. financial institutions and two banks in Canada and the Netherlands; the rest of the list contains generic URL targets that might be added as a second stage in the fraud action.
