A new strain of Qbot malware is spying on corporations around the world to steal their financial information and has even infected multiple cybersecurity vendors, according to information security firm Varonis.
The New York-based company has not named the affected cybersecurity vendors, but it says thousands of businesses have been compromised and are under active control by the cybercriminals.
Attackers have used a new variant of a banking malware known as Qbot, which first appeared in 2009.
The strain is polymorphic, meaning it can rapidly mutate to stay ahead of anti-virus systems.
“One of the more interesting things about this strain is its evasion techniques: it scans AVs [anti virus software] on the system, it looks for monitoring tools, and tries to stay undetected,” says Snir Ben Shimol, director of cybersecurity at Varonis.
“The malware is also using a vast variety of legit certifications to sign the malicious executables to evade detection. Moreover, it is constantly changing and evolving, adding new tools to its arsenal and making it harder for the defenders to detect and analyse it.”
Varonis says it found 2,726 unique victim IP addresses but warns that number could be far higher because many organisations mask their internal IP addresses.
“From what we can tell, affected companies include Fortune 500 and mid-size corporations, as well as their service providers. Another interesting fact is we found big security vendors in the list of victims,” Shimol told Verdict.
Around 1,750 of these victims are located in the US. In a distant second place, the UK has roughly 75 victims.
Although Qbot appears to be actively targeting US corporations, there are victims throughout Europe, South America, Asia and Africa.
The amount of money stolen is unknown.
How does Qbot malware steal financial details?
This new campaign seems to have started around November 2018. Varonis initially became aware of it after Varonis DatAlert warned one of the company’s North American customers of suspicious activity.
Varonis researchers analysed the findings and identified the malware as a new variant of Qbot, which has also gone by the name Qakbot, Pinkslip or Pinkslipbot.
The banking Trojan is most likely downloaded when victims visit an infected webpage.
Once in place, it spreads by copying itself to shared folders and removable drives.
In this version of Qbot, the first infection of a network is carried out by a phishing email that entices victims to click on a malicious zip file. It is unknown if the infected cybersecurity vendors unwittingly played any part in spreading the Qbot malware.
“Basically the attacker sends enticing emails to the victims that contain malicious code or a link to download the first dropper,” explains Shimol.
“After infecting the first victim at an organisation, the malware uses different brute-force attack techniques to try and laterally move in the network.”
The main goal of the malware is to steal money. It does so by capturing every keystroke on an infected device and sends them to the cybercriminals.
It can also send victim’s cookies and exploit APIs to extract financial information.
May 2017 saw a resurgence of Qbot, which saw hundreds to thousands of victims locked out of their company’s domain, leaving affected organisations unable to access servers, endpoints and network assets.
Who is behind the Qbot strain?
Shimol says that they don’t know anything about the origin of the attacker or their motives.
“According to the information we’ve analysed, there are some indicators that parts of the attacker’s infrastructures were placed within Russia,” he said.
“However, there is no additional information about the attacker’s identities, other than their motivation to target specific financial institutions globally.”
Varonis tracked down the attacker’s server. From their analysis, they discovered a list of victim IP addresses, operating system details and anti-virus product names.
It showed how the new Qbot strain has infected at least 14,687 devices with the Windows 10 Enterprise operating system, 13,209 Windows 10 Pro and 13,042 Windows 7 Pro.
The Qbot malware was able to bypass 46,438 Windows Defender anti-virus products, as well as thousands using McAfee and Symantec.
How to avoid it and what to do if you’re infected
The easiest way to avoid being infected is to stay away from phishing emails.
“Don’t open suspicious attachments, don’t click suspicious links, alert your SOC team for any unusual activity,” says Shimol.
“If you suspect that you are infected, use an AV product to scan the PC, and, as a SOC team, monitor the IOCs that are in the report.”
Shimol shared these five steps with Verdict that companies can follow:
- Look for suspicious external emails containing Microsoft office attachments or URLs to unknown websites
- Check for abnormal amount of lockouts or login failures particularly for privileged accounts
- Look for abnormal web traffic and direct download requests from your endpoints
- Identify abnormal amount of devices being access by accounts within the network
- Use the IOCs to detect related files, IPs of the threat actors
Varonis says that it has shared its findings – including non-public information – with the appropriate authorities.