Qbot Banking Malware Can Infect Cybersecurity Firms

A new strain of Qbot malware is spying on corporations around the world to steal their financial information and has even infected multiple cybersecurity vendors, according to information security firm Varonis. Varonis has not named the affected cybersecurity vendors, but it says thousands of businesses have been compromised and are under active control by the cybercriminals.
 
Attackers have used a new variant of a banking malware known as Qbot, which first appeared in 2009. The strain is polymorphic, meaning it can rapidly mutate to stay ahead of anti-virus systems.
 
“One of the more interesting things about this strain is its evasion techniques: it scans AVs (anti-virus software) on the system, it looks for monitoring tools, and tries to stay undetected,” says Snir Ben Shimol, director of cybersecurity at Varonis.
 
“The malware is also using a vast variety of legit certifications to sign the malicious executables to evade detection. Moreover, it is constantly changing and evolving, adding new tools to its arsenal and making it harder for the defenders to detect and analyse it.”
 
Varonis says it found 2,726 unique victim IP addresses but warns that number could be far higher because many organisations mask their internal IP addresses.
 
“From what we can tell, affected companies include Fortune 500 and mid-size corporations, as well as their service providers. Another interesting fact is we found big security vendors in the list of victims,” Shimol told Verdict.
Around 1,750 of these victims are located in the US. In a distant second place, the UK has roughly 75 victims.
Although Qbot appears to be actively targeting US corporations, there are victims throughout Europe, South America, Asia and Africa. The amount of money stolen is unknown.
 
How does Qbot malware steal financial details?
This new campaign seems to have started around November 2018. Varonis initially became aware of it after Varonis DatAlert warned one of the company’s North American customers of suspicious activity.
Varonis researchers analysed the findings and identified the malware as a new variant of Qbot, which has also gone by the name Qakbot, Pinkslip or Pinkslipbot.
 
The banking Trojan is most likely downloaded when victims visit an infected webpage.
Once in place, it spreads by copying itself to shared folders and removable drives.
In this version of Qbot, the first infection of a network is carried out by a phishing email that entices victims to click on a malicious zip file. It is unknown if the infected cybersecurity vendors unwittingly played any part in spreading the Qbot malware.
 
“Basically the attacker sends enticing emails to the victims that contain malicious code or a link to download the first dropper,” explains Shimol.
 
“After infecting the first victim at an organisation, the malware uses different brute-force attack techniques to try and laterally
move in the network.”
 
The main goal of the malware is to steal money. It does so by capturing every keystroke on an infected device and sends them to the cybercriminals. It can also send victim’s cookies and exploit APIs to extract financial information. May 2017 saw a resurgence of Qbot, which saw hundreds to thousands of victims locked out of their company’s domain, leaving affected organisations unable to access servers, endpoints and network assets.
 
Who is behind the Qbot strain?
Shimol says that they don’t know anything about the origin of the attacker or their motives.
 
“According to the information we’ve analysed, there are some indicators that parts of the attacker’s infrastructures were placed within Russia,” he said.
 
“However, there is no additional information about the attacker’s identities, other than their motivation to target specific financial institutions globally.”
 
Varonis tracked down the attacker’s server. From their analysis, they discovered a list of victim IP addresses, operating system details and anti-virus product names. It showed how the new Qbot strain has infected at least 14,687 devices with the Windows 10 Enterprise operating system, 13,209 Windows 10 Pro and 13,042 Windows 7 Pro.
 
The Qbot malware was able to bypass 46,438 Windows Defender anti-virus products, as well as thousands using McAfee and Symantec.
 
How to avoid it and what to do if you’re infected
The easiest way to avoid being infected is to stay away from phishing emails.
 
“Don’t open suspicious attachments, don’t click suspicious links, alert your SOC team for any unusual activity,” says Shimol.
 
“If you suspect that you are infected, use an AV product to scan the PC, and, as a SOC team, monitor the IOCs that are in the report.”
 
Shimol shared these five steps with Verdict that companies can follow:
 
1. Look for suspicious external emails containing Microsoft office attachments or URLs to unknown websites
2. Check for abnormal amounts of lockouts or login failures particularly for privileged accounts
3. Look for abnormal web traffic and direct download requests from your endpoints
4. Identify abnormal amounts of devices being access by accounts within the network
5. Use the IOCs to detect related files, IPs of the threat actors
 
Varonis says that it has shared its findings – including non-public information – with the appropriate authorities. 
 
 
You Might Also Read:

The Top 5 Malware Attack Types:

 
« Knowing How Your Data Behaves Is The Key To Cybersecurity
Bank of England Testing Banks' Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Cryptomathic

Cryptomathic

Cryptomathic is an expert on commercial crypto - we develop, deliver and support the most secure and efficient off-the-shelf and customised solutions.

Ground Labs

Ground Labs

Ground Labs is a security software company dedicated to making sensitive data discovery products that help organisations prevent sensitive data loss.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

FedRAMP

FedRAMP

FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

limes datentechnik

limes datentechnik

limes datentechnik is an authority in the fields of cryptography and data compression. The FLAM product family is an internationally accepted standard for efficient and safe handling of data.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau is the national accreditation body for Lithuania. The directory of members provides details of organisations offering certification services for ISO 27001.

Cybersecurity Collaboration Forum

Cybersecurity Collaboration Forum

The mission of the Cybersecurity Collaboration Forum is to foster information security communication and idea sharing across the C-Suite, enabling leaders to better protect their enterprises.

Mobileum

Mobileum

Mobileum is a leading provider of Telecom analytics for roaming, security and risk management and end-to-end domestic and roaming testing solutions.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.

Astrill VPN

Astrill VPN

Astrill VPN is a Seychelles based Virtual Private Network(VPN) Company.

Eqlipse Technologies

Eqlipse Technologies

Eqlipse Technologies provides products and high-end engineering solutions to customers in the Department of Defense and Intelligence Community.

Piiano

Piiano

Piiano offers developer-friendly privacy and security products. Reduce risk and protect your data by using our specialized security and privacy SaaS tools.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.