QBot, also known as Qakbot or pinkslipbot, is an information stealer that has been active since 2007. It is malware software that can monitor the browser's activities and lots of information on the victim's computer. It is also known as a banking trojan capable of stealing finance-related data from the infected device and loader by using c2 servers to target payload and downloads. Other important information that QBot can steal from a system are:
Name of the account
City
Country
Internet Explorer password-protected sites
IE username and passwords
IP addresses
MSN username and passwords
Operation system running on a victim computer
Username and password of outlook account
Certificates
Cookies
Public storage such as SMTP, POP3, LDAP
Browsing activities
System information
It has evolved as a leading banking Trojan worldwide, intending to steal banking credentials such as logins and passwords. It can also spy on finance-related information, spread itself, and install ransomware to generate maximum revenue from the victim devices. QBot is extending its functionality continuously, and new features have made it more robust such as logging keystroke, which gives it back door functionality and power to evade detection. The latest updates include virtual environment detection, regular-auto updates, and cryptor/packer changes. This malware also tries to protect itself from being analyzed or debugged by experts or automated tools.
Another function of QBot is its ability to steal emails from an infected computer; attackers then use these emails to send targeted emails to the victim computers using the information provided in emails to convince targeted users to open these emails.
QakBot Working
This software infects the victim's computers using spam emails. Sometimes these emails are delivered with Microsoft Office documents such as word or excel. Password-protected archives are also used as attachments. The documents are used to lure the victims into opening the attachment that is pretended to contain important information. Sometimes, these emails also link to web pages used for malicious documents distribution.
QakBot has another infection vector that transfers payloads to other devices from infected computers. In the beginning, the attacks use the attack vector against an organization that has the highest success rate. Then, reconnaissance is performed on a targeted organization before attacking to check the best attack vector.
Figure 1: QBot infection spreading mechanism.
2020-2021 variants of QBot uses the following scheme for infection:
The users receive spam mail containing a ZIP attachment. The ZIP file has an infected office document containing a malicious document download link.
When users open the link, they are deceived into clicking enable content.
After enabling, an infection software is executed that contains encrypted modules. DLL binary is also encrypted initially that is decrypted during execution.
The stager loads the loader to decrypt and execute the payload. Another module retrieves configuration settings.
QBot can push additional attack vectors like ProLock ransomware into the victim's computer.
Functions of QBot
QBot is malicious software that has the following functions:
Information collection about and from the victim's computer.
Development of Pre-scheduled tasks such as persistency and access right escalation.
Credential stealing and dumping and attacking the web banking link through web injections.
Brute force attacks on passwords.
Registration persistence.
Replication and process injection to remain invisible.
C2 Communication
A list of 150 IP addresses is prewritten In QakBot that is used as a proxy for traffic flow to other infected devices or the C2 server. HTTP post request is used to connect with C2. RC4 algorithm based base64-encryption is applied to the data. A string "jHxastDcds)oMc=jvh7wdUhxcsdt2" and 16-byte sequences are used for encryption of JASON data.
Figure 2 JASON Data
Figure 3 Encrypted message.
Continuous updates of the malware making is a success. The malicious software keeps updating its binary and adding more capabilities by module updating to steal more information and generate more revenue.