QBot: The Rise, Evolution, and Resilience of a Cyberthreat

In the dynamic landscape of cybersecurity, identifying, mitigating, and preempting threats requires constant vigilance and adaptive strategy. Today's focus is on QBot, an evolving and persistent cyberthreat that stands as a testament to the resilience and innovation of malicious actors.  

Known also as QakBot or Pinkslipbot, QBot has been making the rounds in various forms since 2007, and today we delve into its modus operandi, adaptations, and ramifications.

QBot: From Banking Trojan to Malware Dropper

QBot initially emerged as a banking Trojan, stealing sensitive financial information. However, the malware has morphed over the years, showcasing its modular design's versatility.  

QBot now serves as a potent malware delivery platform, used by cybercriminals for network infiltration, data exfiltration, and secondary payload delivery. The malware offers a variety of capabilities, including sensitive data theft, network propagation, and remote code execution.

One concerning feature of QBot's evolution is its increasing sophistication in delivery methods. Threat actors have tested various delivery methods in recent months, using different file types like PDF, HTML, and OneNote files in the initial stages.  

In secondary delivery steps, QBot has utilized WSF, JavaScript, LNK, Batch, and HTA files. This polymorphic behavior and continuous adaptation underscore the need for up-to-date, multi-layered defense strategies.

The QBot and Black Basta Connection

The recent resurgence of QBot activity is predominantly linked to the Black Basta ransomware group. This prolific cybercriminal outfit has leveraged QBot to launch an aggressive campaign targeting companies based in the US.  

The campaign usually begins with spam or phishing emails containing malicious URL links. Once a user clicks on these links, Black Basta deploys QBot as the primary method to maintain a foothold in the victim’s network.

Black Basta's use of QBot is marked by a rapid progression from initial compromise to ransomware deployment. The speed of these attacks and the accompanying disabling of security mechanisms such as EDR and antivirus programs underline the urgent need for rapid detection and response capabilities.  

In this context, proactive defense measures like blocking malicious network connections, resetting Active Directory access, and comprehensive incident response are crucial.

DLL Hijacking: The Newest Tactic in QBot’s Arsenal

In an inventive twist, QBot operators recently started exploiting a DLL (Dynamic-Link Library) hijacking flaw in Windows 10's WordPad program. By creating a malicious DLL file with the same name as a legitimate one and placing it in an executable file's search path, QBot operators can trick the program into running the malicious DLL.  

This tactic allows the malware to stealthily execute commands and evade detection by security software.

When launched, the WordPad executable file attempts to load the malicious DLL. Consequently, QBot stealthily runs in the background, potentially stealing sensitive data and laying the groundwork for further compromises.  

This includes the use of Cobalt Strike, a post-exploitation toolkit used to gain initial access to the infected device, spread laterally through the network, and pave the way for ransomware attacks.

Staying Ahead of the Curve

In the face of the resilient and evolving threat of QBot, it is crucial for organizations to stay on their toes. Security measures need to be as adaptable as the threats they aim to neutralize. This involves not only maintaining up-to-date, multi-layered cybersecurity defenses but also fostering a culture of cybersecurity awareness within the organization.

In conclusion, the QBot malware operation showcases the persistence, adaptability, and ingenuity of cybercriminals. As we continue to grapple with this ever-evolving threat, we need to be vigilant and proactive in understanding and countering Qakbot's capabilities.

The persistence and resilience of the Qakbot operators are notable. Not only are they able to maintain and replenish the number of C2 servers, but they also have the ability to convert infected machines into C2 nodes.  

This tactic helps the cybercriminals evade enterprise detection methods and frustrates efforts by hosting providers to take down C2 servers.

At the heart of the Qakbot network, a tiered C2 architecture operates. The first level comprises the converted bot machines, while the second level consists of servers often hosted at VPS providers, particularly those located in Russia.  

A third component of the Qakbot infrastructure — a separate server that likely functions as a backconnect server — is evident. While its precise role remains partially shrouded in mystery, it appears to have a significant influence on turning bots into proxies that can be used or sold for a variety of purposes.

However, the versatility and adaptability of Qakbot do not end with its network structure. In fact, one of the recent shifts in its operation has been the change from using macro-laden attachments to Microsoft OneNote files for their spam emails.  

This change, among others, mirrors the agility of the Qakbot operators in altering their techniques in response to improved defenses.

Takeaway

Qakbot's ability to propagate itself within a network is highly efficient. By day seven of an infection, approximately 90% of all the data a bot will ever send to a C2 has been transmitted. This swift and ruthless efficiency underlines the urgent need for immediate response once a Qakbot infection has been detected.

But Qakbot isn’t operating in isolation. It’s part of an ecosystem of malware threats and cybercrime groups that continually learn from each other, refine their tactics, and evolve their tools. Recently, the Black Basta ransomware group has been using Qakbot in an aggressive campaign, primarily targeting US companies.  

Utilizing a range of techniques, from spam and phishing emails to malicious URL links, Black Basta leverages Qakbot as a robust platform for initiating and maintaining its presence on victims’ networks.

The risks posed by Qakbot are further escalated by the evolution in its delivery methods. Recently, the malware operation began exploiting a DLL hijacking flaw in the Windows 10 WordPad program.  

By leveraging a trusted program like WordPad, the threat actors hope that security software will be less likely to flag the malware as malicious. This strategy, while inventive, does serve as a stark reminder of the increasing sophistication of cyber threats.

All these characteristics highlight why Qakbot is not just another piece of malware; it's an intelligent, adaptive, and robust tool that's become an integral part of today's cybercriminal arsenal.  

To counter it, we must not only understand its tactics and techniques but also stay updated on its latest developments. Only then can we stay one step ahead in this continuous cat-and-mouse game against the unseen enemies of the digital world.

‍

‍Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.