Qbot malware's back, and latest strain relies on Visual Basic script to slip into target machines

guest · Feb 28, 2019

Qbot malware's back, and latest strain relies on Visual Basic script to slip into target machines
February 28, 2019
https://www.theregister.co.uk/2019/02/28/new_qbot_banking_malware_strain/

The latest version, spotted after an unfortunate customer's systems were infected, retains the anti-analysis polymorphism features of the original, Varonis researchers said.

[...] a file ending in the extension ".doc.vbs", which they said indicated "that the first infection was likely carried out via a phishing email that lured the victim into running the malicious VBS file".
Fooling an ordinary user into running a Visual Basic script is a new twist on the original Qbot, whose local trigger was a Word macro – a malware-spreading technique at least twice the age of Qbot itself.

The firm said that by analysing one of the command-and-control servers the new Qbot strain talked to, it had identified 40,000 Windows machines that had connected to that one server alone.
Varonis analysed all the versions of the new Qbot loader they were able to find and discovered they were all digitally signed [...]
Click to expand...

Varonis blog entry: Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims

itman · Mar 2, 2019

mood said: ↑

Qbot malware's back, and latest strain relies on Visual Basic script to slip into target machines
Click to expand...

Good example of LOL bitsadmin use:

Once run, the VB script hunts for common antivirus programs including Windows Defender, Malwarebytes, Kaspersky and Trend Micro among others. It then uses the baked-in Windows command line downloader tool BITSAdmin to download the malware itself
Click to expand...

Also of note:

Almost all of the infected machines were running Windows Defender,
Click to expand...

-EDIT- The Register article misstated the facts. The most infected installations were running McAfee with Windows Defender showing the second highest number of infections. The least infected installations were running Eset Endpoint Security. Since the "Other" AV category was sizable, it is fair to assume this bugger bypassed all of them. Per the Varonis article:

Victims by Anti-Virus Found

Since this malware specifically checked for what AV software was installed, one can assume infected victim counts reflect what software was easiest to bypass. -EDIT- Actually, this malware had its greatest impact against U.S. installations. Fair to assume many of those were using McAfee. Hence, the victim counts reflect malware geographical target preference versus the ability to bypass a given AV solution. Again, it appears this attack could bypass all enterprise AV solutions.

guest · Apr 24, 2019

Qbot Malware Dropped via Context-Aware Phishing Campaign
April 24, 2019
https://www.bleepingcomputer.com/ne...-dropped-via-context-aware-phishing-campaign/

A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team.

As detailed by the JASK SpecOps security researchers, "The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly enough, the delivery email was actually a reply to a pre-existing email thread."
The phishing email uses a hyperlink to a VBScript-based dropper script packed as a ZIP archive and designed to drop the Qbot malware payload after being launched by the victim.

As discovered by the security research team at Varonis while analyzing another Qbot campaign during early March, the payload will gain persistence by copying "itself to %Appdata%\Roaming\{Randomized String}" and creating a registry value to have its loader launched when the user logs on [...]
As further explained by the Varonis research team, Qbot will then employ various techniques to steal as much financial data as possible from its victims, which gets sent to its masters' command-and-control servers.
Click to expand...

JASK: Back (Again): Uncovering the Latest Qbot Banking Trojan

Log in or Sign up

Qbot malware's back, and latest strain relies on Visual Basic script to slip into target machines

guest Guest

itman Registered Member

guest Guest

Log in or Sign up

Qbot malware's back, and latest strain relies on Visual Basic script to slip into target machines

guest Guest

itman Registered Member

guest Guest

Useful Searches