QBot Trojan Becomes More Stealthy

Delaware, USA – May 7, 2019 – The authors of QBot trojan started to use new obfuscation techniques which significantly complicate the detection of the malware. Researchers at Cisco Talos analyzed the increased activity of malware in April and found a number of innovations that allow malware to maintain persistence and remain hidden from security solutions. QBot infects the system via a dropper, which creates a scheduled task to run JavaScript downloader. The downloader requests one of the hardcoded hijacked domains for the URI “/datacollectionservice[.]php3” and, if successful, downloads two files with obfuscated data. After that, it decrypts and reassembles a single malicious executable and runs it. Downloading highly obfuscated malware in parts allows attackers to bypass multiple security solutions.

Preparation for the campaign began in mid-March when the adversaries made DNS changes to the hijacked domains, and from the first days of April, researchers began to record a lot of requests to them. Emotet malware may have been a dropper in this campaign since in recent MegaCortex ransomware attacks all victims were previously infected both with Emotet and QBot trojans. QBot (aka QakBot) banking malware is known to researchers since 2008, and threat actors constantly modify it adding new functions and techniques to avoid detection. To track all suspicious events on Windows hosts that need to be investigated, you can use your SIEM with Sysmon Framework rule pack available at Threat Detection Marketplace: https://my.socprime.com/en/integrations/sysmon-framework-arcsight