Security researchers at F5 Labs discovered an ongoing malware campaign using “Qbot malware” payloads to steal financial data from customers of the U.S. banks and financial institutions.
Qbot malware, also known as Qakbot and Pinkslipbot, is a banking Trojan active since 2008. According to F5 Labs researchers, attackers are still using the Qbot malware with updated worm features to steal users’ keystrokes, deploy backdoors, and spread malware payloads on compromised devices. The researchers stated that the latest version of Qbot has detection and research-evasion techniques that hide the malware codes and escape from scanners and anti-software tools.
“Attackers usually infect victims using phishing techniques to lure victims to websites that use exploits to inject Qbot via a dropper. It does this through a combination of techniques that subvert the victim’s web sessions, including keylogging, credential theft, cookie exfiltration, and process hooking,” the researchers said.
According to the research analysis, the Qbot campaign is mainly focused on banks and financial firms in the U.S., targeting around 36 U.S. financial institutions and two banks in Canada and the Netherlands.
“Several samples of the malware from this year showed that Qbot’s focus is on banks in the United States. This appears to be a dedicated campaign with a browser hijack, or redirection, as the main attack method when the machine is infected. As Qbot watches a victim’s web traffic, it looks for specific financial services from which to harvest credentials,” the researchers added.
The researchers listed how Qbot infection proceeds on a targeted device:
- Qbot malware is loaded into the running explorer.exe memory from an executable file that is distributed via phishing mails or an open file share
- The malware then installs itself into the application folder’s default location, as defined in the %APPDATA% registry key
- Qbot creates a copy of itself in the specific registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run when the system reboots
- Later it drops a .dat file with a log of the system information and the botnet name
- The malware executes its copy from the %APPDATA% folder and replaces the originally infected file with a legitimate one
- Finally, Qbot creates an instance of explorer.exe and injects itself into it. Hackers then use the always-running explorer.exe process to update Qbot from their external command-and-control server
F5 Labs recommended certain security measures like using updated antivirus software, fixing critical flaws in applications and devices, and providing necessary security awareness training to workforce to defend against evolving malware threats.