Qbot Banking Malware Can Infect Cybersecurity Firms

A new strain of Qbot malware is spying on corporations around the world to steal their financial information and has even infected multiple cybersecurity vendors, according to information security firm Varonis. Varonis has not named the affected cybersecurity vendors, but it says thousands of businesses have been compromised and are under active control by the cybercriminals.
 
Attackers have used a new variant of a banking malware known as Qbot, which first appeared in 2009. The strain is polymorphic, meaning it can rapidly mutate to stay ahead of anti-virus systems.
 
“One of the more interesting things about this strain is its evasion techniques: it scans AVs (anti-virus software) on the system, it looks for monitoring tools, and tries to stay undetected,” says Snir Ben Shimol, director of cybersecurity at Varonis.
 
“The malware is also using a vast variety of legit certifications to sign the malicious executables to evade detection. Moreover, it is constantly changing and evolving, adding new tools to its arsenal and making it harder for the defenders to detect and analyse it.”
 
Varonis says it found 2,726 unique victim IP addresses but warns that number could be far higher because many organisations mask their internal IP addresses.
 
“From what we can tell, affected companies include Fortune 500 and mid-size corporations, as well as their service providers. Another interesting fact is we found big security vendors in the list of victims,” Shimol told Verdict.
Around 1,750 of these victims are located in the US. In a distant second place, the UK has roughly 75 victims.
Although Qbot appears to be actively targeting US corporations, there are victims throughout Europe, South America, Asia and Africa. The amount of money stolen is unknown.
 
How does Qbot malware steal financial details?
This new campaign seems to have started around November 2018. Varonis initially became aware of it after Varonis DatAlert warned one of the company’s North American customers of suspicious activity.
Varonis researchers analysed the findings and identified the malware as a new variant of Qbot, which has also gone by the name Qakbot, Pinkslip or Pinkslipbot.
 
The banking Trojan is most likely downloaded when victims visit an infected webpage.
Once in place, it spreads by copying itself to shared folders and removable drives.
In this version of Qbot, the first infection of a network is carried out by a phishing email that entices victims to click on a malicious zip file. It is unknown if the infected cybersecurity vendors unwittingly played any part in spreading the Qbot malware.
 
“Basically the attacker sends enticing emails to the victims that contain malicious code or a link to download the first dropper,” explains Shimol.
 
“After infecting the first victim at an organisation, the malware uses different brute-force attack techniques to try and laterally
move in the network.”
 
The main goal of the malware is to steal money. It does so by capturing every keystroke on an infected device and sends them to the cybercriminals. It can also send victim’s cookies and exploit APIs to extract financial information. May 2017 saw a resurgence of Qbot, which saw hundreds to thousands of victims locked out of their company’s domain, leaving affected organisations unable to access servers, endpoints and network assets.
 
Who is behind the Qbot strain?
Shimol says that they don’t know anything about the origin of the attacker or their motives.
 
“According to the information we’ve analysed, there are some indicators that parts of the attacker’s infrastructures were placed within Russia,” he said.
 
“However, there is no additional information about the attacker’s identities, other than their motivation to target specific financial institutions globally.”
 
Varonis tracked down the attacker’s server. From their analysis, they discovered a list of victim IP addresses, operating system details and anti-virus product names. It showed how the new Qbot strain has infected at least 14,687 devices with the Windows 10 Enterprise operating system, 13,209 Windows 10 Pro and 13,042 Windows 7 Pro.
 
The Qbot malware was able to bypass 46,438 Windows Defender anti-virus products, as well as thousands using McAfee and Symantec.
 
How to avoid it and what to do if you’re infected
The easiest way to avoid being infected is to stay away from phishing emails.
 
“Don’t open suspicious attachments, don’t click suspicious links, alert your SOC team for any unusual activity,” says Shimol.
 
“If you suspect that you are infected, use an AV product to scan the PC, and, as a SOC team, monitor the IOCs that are in the report.”
 
Shimol shared these five steps with Verdict that companies can follow:
 
1. Look for suspicious external emails containing Microsoft office attachments or URLs to unknown websites
2. Check for abnormal amounts of lockouts or login failures particularly for privileged accounts
3. Look for abnormal web traffic and direct download requests from your endpoints
4. Identify abnormal amounts of devices being access by accounts within the network
5. Use the IOCs to detect related files, IPs of the threat actors
 
Varonis says that it has shared its findings – including non-public information – with the appropriate authorities. 
 
 
You Might Also Read:

The Top 5 Malware Attack Types:

 
« Knowing How Your Data Behaves Is The Key To Cybersecurity
Bank of England Testing Banks' Cyber Resilience »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Xcitium

Xcitium

Xcitium (formerly Comodo) is and industry leading provider of state-of-the-art endpoint protection solutions. Our Zero threat platform isolates and removes all ransomware & malware infectictions.

DXC Technology

DXC Technology

DXC Technology helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability.

North American Electric Reliability Corporation (NERC)

North American Electric Reliability Corporation (NERC)

NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CyberSec Hub

CyberSec Hub

The goal of CyberSec Hub is to create a centre of excellence for cybersecurity in Krakow, a new European “Cyber-Silicon Valley”.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC) is an information security company providing website vulnerability scanning and monitoring services.

CyberGuard Technologies

CyberGuard Technologies

CyberGuard Technologies provides a suite of fully managed end-to-end security services from its 24/7 UK security operations centre.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.

Hacker School

Hacker School

Hacker School offers technology motivated training programs that provide Cyber Security Certifications and Courses.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.

Accompio

Accompio

Accompio offer comprehensive support in the digitalisation of your business processes.