qbot malware

The Qbot malware uses a very stealthy automatic startup method to evade detection

Introduction: A recent new version of Qbot malware will activate its persistence mechanism immediately before the infected Windows device is shut down, and automatically delete all traces of the attack when the system restarts or wakes up from sleep.

The Qbot malware uses a very stealthy automatic startup method to evade detection

A recently emerging version of the Qbot malware activates its persistence mechanism immediately before the infected Windows device is shut down, and automatically deletes all traces of the attack when the system restarts or wakes up from sleep.

Qbot (also known as Qakbot, Quakbot and Pinkslipbot) is a Windows banking Trojan with a worm function and has been active since at least 2009 to steal bank credentials, personal information and financial data. The Qbot banking Trojan has been continuously updated since it was discovered in 2009. In addition, Qbot is used to steal bank certificates and financial data, record the user’s keyboard, deploy backdoors, and place additional malware on the attacked device. In recent attacks, the malware also deployed Cobalt Strike beacons, which are used by ransomware operators to send ProLock and Egregor ransomware payloads. Qbot victims have been infected by phishing emails with Excel document attachments disguised as DocuSign documents.

The Qbot malware uses a very secretive persistent attack mechanism

On November 24, James Quinn, a binary defense threat researcher, discovered this new version of Qbot. The malware is using an updated and more subtle persistent attack mechanism that uses Windows system shutdown and restart messages to switch infected devices Persistence.

This attack strategy is currently very correct, so that some researchers previously believed that the Qbot Trojan has now completely deleted this persistent attack mechanism.

Although the initial report of other researchers pointed out that the operation item persistence mechanism was removed in the new version of Qakbot, it was added to a more secretive and interesting persistence mechanism for monitoring system shutdown messages and PowerBroadcast suspension/ Restart message.

The Qbot malware uses a very stealthy automatic startup method to evade detection

Qbot window message monitoring program

The Trojan will add a registry entry on the infected system, allowing it to start automatically when the system logs in, and delete the Trojan immediately when the user starts or wakes up the computer from hibernation, in order to evade anti-malware solutions or Detection by security researchers.

The developers of Qbot used the perfect timing to inject the run item into the Windows registry, which made this attack technique very secretive.

The malware will only add run items before the system goes to sleep or shuts down, so that security products have no chance to detect and report new run items. Qbot will try to delete persistent items multiple times when the system wakes up or restarts when logging in.

However, since the value name of the run item is randomly generated on each infected system, Qbot will try to delete any run item whose value matches the data.

The Qbot malware uses a very stealthy automatic startup method to evade detection

Generation of persistent attack mechanism for Qbot running items

Although this method of obtaining persistence is a new feature of Qbot, other malware has used similar techniques in the past to evade detection, including Gozi and Dridex banking Trojans.

Through analysis and research, these two malware families have similar persistent attack mechanisms, because they both listen to WM_QUERYENDSESSION and WM_ENDSESSION messages to detect when users log out. When the system is suspended, the new version of Qakbot will also further look for WM_POWERBROADCAST and PBT_APMSUSPEND Wait for the power event to install the hook.

Installation and configuration changes

Qbot’s installation technology has also been updated in this new version because it uses a new DLL architecture that combines the malware loader and in a single DLL.

In the past, the loader evaded detection by the automatic malware sandbox system by storing all malicious code in a separate DllRegisterServer component, and using certain command-line parameters to call it only through regsvr32.exe or rundll32.exe.

The new version simplifies this attack technique by removing command line parameters from the process and secretly injecting code into the newly created process.

By creating a new process to remove command line switches and analysis checks, while still retaining many anti-analysis/anti-sandbox checks, the new loader installation mechanism will only happen after the is injected into explorer.exe.

Qbot also converts the .dat configuration and the victim computer’s log files previously stored in the victim computer into a new registry key configuration.