Cybercriminals can be quite resourceful when it comes to repurposing malware, with most opting for the path of least resistance. Threat actors are not likely to customize malware beyond what is required to accomplish the job – leaving the most sophisticated toolkits and zero-day exploits for those rare situations that require more advanced tactics. Because of this approach, certain pieces of malware that are slightly modified to avoid common signature-based detection tools will periodically reappear in new campaigns.
The Qbot banking trojan continues to resurface with new features since being discovered back in 2009. The info-stealing malware has been leveraged to effectively target governments and corporations around the world to steal user data and banking credentials with what appear to be evolving delivery mechanisms, command and control infrastructures and anti-analysis techniques.
The JASK Special Operations (SpecOps) team recently uncovered downloader activity exhibiting characteristics of the recent Qbot campaign. In late March 2019, a spear phishing event led to the discovery of a Qbot infection in what appears to be part of the most recent campaign making headlines. The malicious activity was detected by the JASK SpecOps team during regular hunting activities as a result of anomalous network activity associated with the use of the BITSAdmin utility. The threat actor successfully employed native Windows utilities to avoid detection by traditional security technologies prior to installing info-stealing malware that was ultimately identified and quarantined.
The latest JASK Case Study showcases an in-depth look at the recent Qbot banking trojan.
Greg Longo is a senior threat analyst on the JASK Special Ops team. Greg has over a decade of experience in cybersecurity with previous positions which include global cyber threat management lead and information security specialist. He served almost 10 years in the Air National Guard as a cyber operations officer of the 166th Network Warfare Squadron and commander of the 166th Communications Flight.