Improved Qbot Banking Trojan Continues As A Force To Be Reckoned With

Published: April 16, 2022 on our newsletter Security Fraud News & Alerts Newsletter.



Since cybersecurity experts first discovered Qbot banking trojan in 2008, the malware continues to improve and expand its devastating bag of tricks, making it more persistent and effective than ever before. Also known as Qakbot and Pinkslipbot, Qbot has consistently morphed over time, with each new version bringing more harmful financial attacks. According to a study by Check Point Research, U.S. businesses are the #1 Qbot target, with 29% of all global attacks happening here. Worldwide, Qbot focuses nearly 37% of its efforts on government, military, and manufacturing sectors. Security pros have watched iterations of Qbot continue, with the most recent version seen in August of this year.



Email Thread Stealer


Qbot now deploys an email collector module that when activated, steals all email threads from Outlook client, the Microsoft Office email product. The stolen emails are used for malspam (spam email) campaigns that make it appear an email is part of a legitimate and ongoing email conversation among employees, also called an “email thread.” By including the spam email as just another thread in the conversation, it makes it easier for employees in the thread to trust it. Once done, those employees are more likely to follow links and open attachments they’d never suspect are infected, much less with Qbot Trojan. Check Point found email subjects incorporating coronavirus, job recruitment, and tax payment reminders; all topics that appear legitimate and are likely to be followed in an email thread.


Check Point also finds the latest version of Qbot uses an email infection method called VBS (Visual Basic Script) file. The malicious emails contain a URL link to a .ZIP file that when opened, downloads the VBS file, releasing the Qbot Trojan into a data system. Qbot then goes about stealing passwords and information from particular websites and communicates with the Command and Control (C&C or C2) server. C&C allows a bad actor to remotely communicate and control a compromised system within a targeted network. This banking trojan steals data from infected machines, including credit card and banking details, passwords, emails, and much more. It can also install ransomware on a device, malware every organization dreads.



Anti-Qbot Tips


Keeping Qbot at bay takes awareness of the tricks and tactics that malware infections often look to for success. With phishing emails as the preferred method of delivery, common sense email precautions should always apply. Beware any email from an unknown or untrusted sender, especially those pushing us to act quickly on a topic. Subjects that exploit fears and fixes for coronavirus, account problems needing to be resolved with login credentials and passwords, and generally anything that sounds too good to be true should be avoided and made known to an IT department or manager whenever possible.


Also, disabling macros, which are used to assign keyboard shortcuts that eliminate time-consuming tasks in Microsoft Office, is strongly recommended and easy to do. Cybercriminals can embed nefarious macros in a document that download malware and manipulate or delete files on a hard drive. Finally, never open attachments or follow links in an email unless the sender can be verified as known and trusted and you are expecting to receive them. Malicious links go to bogus websites designed to steal PII (personally identifiable information), and attachments can be flush with malware like Qbot. So, keep your phishing antenna set on high and suspect first, then trust only after verifying.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com

3 views0 comments