LTS Secure Warning: Qbot Banking Trojan Reappears With New Evasion Techniques

Qbot malware, an every evolving banking trojan, that has been around since 2008, has again resurfaced, targeting customers of U.S. financial institutions. The new variant includes capabilities helping it remain undetected.

 

Technical Details

  • The malware starts of by loading itself into the explorer.exe memory, from an executable introduced via phishing, an open file share or an exploit.
  • The malware then proceeds to copy itself into the application folders default location, defined in the %APPDATA% registry key.
  • The malware then creates another copy of itself in the below registry, to ensure that it runs when the system reboots.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • Later, a .dat file is then dropped, containing the log of the system information & the botnet name.
  • The malware then executes its copy from %APPDATA% and covers its tracks by replacing the infected file with a legitimate one.
  • Finally, the malware injects itself into an instance of explorer.exe, which it creates on its own. This allows the attacker to update the malware using their C&C server.
  • The new variant of the malware has a new packing layer, that scrambles & hides the code from scanner & signature-based solutions, helping it evade detection.

 

Impact

  • Log user’s keystrokes.
  • Harvest browsing & financial data.
  • Steal sensitive/confidential information like email login credentials, domain passwords & certificates.
  • Process hooking.

 

Recommended Actions

  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Ensure that system is up-to-date with latest patches released.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013