Security researchers at F5 Labs have spotted ongoing attacks using Qbot malware payloads to steal credentials from customers of dozens of US financial institutions.
The threat was used in recent attacks aimed at JP Morgan, Citibank, Bank of America, Citizens, Capital One, Wells Fargo, and FirstMerit Bank.
The campaign targets 36 different U.S. financial institutions and two banks in Canada and the Netherlands.
“Analysis of the latest Qbot campaign shows that it is mainly focused on the United States (see Figure 1), targeting approximately 36 U.S. financial institutions and two banks in Canada and the Netherlands;” reads the report published by F5 Labs.
F5 Labs’ researchers reported that the Qbot variant used in the last attacks has implemented a number of new features, especially to evade detection.
“Previously, Qbot also used worm self-replication techniques to copy itself over shared drives and removable media. Qbot is still Windows-based, but this latest version adds both detection and research-evasion techniques.” continues the report. “It has a new packing layer that scrambles and hides the code from scanners and signature-based tools. It also includes anti-virtual machine techniques, which helps it resist forensic examination.”
The malware is distributed through phishing attacks that attempt to trick victims into visiting websites that use exploits to inject Qbot via a dropper.
Below the typical Qbot infection chain:
Qbot monitors the victim’s web traffic searching for specific strings (i.e. https://*.jpmorgan.com/*logoff*, https://*.ebanking-services.com/nubi/SignOut.aspx*, https://www#.citizensbankmoneymanagergps.com/cb/servlet/cbonline/LogEZDExit*) associated with financial services to capture credentials.
The bot also makes lateral movements via network share exploits to infect other systems on the same network and leverage brute-force attacks to target Active Directory admin accounts.
“Qbot has been around for a dozen years with pretty much the same functionality. The targets changed and features were added, but it’s still primarily about keylogging and, secondarily, about extracting a victim’s personal data.” concludes the report. “As Qbot waxes and wanes in popularity with attackers, it is hard to gauge its overall impact on a global scale.”
In April, security experts at BAE Systems announced that the Qbot malware was back, they discovered 54,517 infected machines most of them located in the United States (85%).
The experts discovered samples of Qbot that targeted US academic institutions and hospitals. It is interesting to note that the new Qbot variant has the ability to traverse a network and spread its replica, it is characterized by polymorphic capabilities that allow the threat to evade AV software.
(SecurityAffairs – malware, Qbot campaign)