The Qbot malware is back and hard at work again with infections reported on more than 50,000 PCs around the world
According to researchers at BAE Systems—with 85% of those impacted systems residing in the United States. The latest Qbot incarnation has learned new tricks since its early days in 2009, and is riling security professionals with its ability to evade detection.
The Qbot malware is back! So far, the criminals behind this latest Qbot wave have repurposed the original Qbot source code and tweaked it in such a way that the most recent version can slip through most security systems.
Adrian Nish, head of cyber threat intelligence at BAE Systems – its masterful in the way it is able regenerate itself on an infected host every 24 hours. “The authors behind Qbot are re-scrambling the code everyday along with repacking it. One day an antivirus scan may be able to spot it, the next day it won’t”. Nish said Qbot steals data and harvests credentials, and its means of infection are via the Rig Exploit Kit
Who is the Target?
U.S.-based academic institutions. Hospitals have also been targeted, in those cases Qbot may be branching out and delivering ransomware as well. BAE Systems’ documentation of Qbot (PDF) used as vehicle to distribute ransomware jives with research published earlier this week by Cisco Talos. It also found old malware with new legs by criminals who add worm-like capabilities and use infections to spread ransomware. However, while the malware exhibits some worm-like capabilities, such as the ability to traverse a network and self-replicate, it is not autonomous.
The code is updated via a command and control servers. At intervals as little as six hours apart, the Qbot code is freshly compiled and often with additional content added, making it appear as if it were a completely different piece of software.
Since 2009, when Qbot launched its first assault on computer networks, the malware has never completely vanished. Since then there have been sporadic reports of Qbot infections and variants causing limited infections. What alarms researchers, is the fast rate of infections in the past month coupled with the malware’s ability to shape-shift on the fly.
BAE Systems said rates of U.S. infection are disproportionately high compared to other geographic regions primarily because attackers first were able to compromise U.S.-based websites. It found the Rig exploit kit on a half-dozen domains registered to domain registrant GoDaddy. “We believe that the actors gained access to a set of compromised GoDaddy credentials, using these to access accounts and create subdomains which point to different name servers. Many of the domains are associated with the same GoDaddy domain,” wrote the BAE authors of the report. Those domains, according to BAE Systems, host the Rig exploit kit. When a user visits one of the compromised domains using an Internet Explorer web browser, for example, the malware is then injected into the running process “explorer.exe” and attempts a heap-allocated buffer overflow attack.