Thought leadership. Threat analysis. Cybersecurity news and alerts.
Decade-Old Qbot Banking Malware Makes a Comeback
The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.
Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.
The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.
What Is Qbot?
Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.
According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”
Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.
In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).
Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.
Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.
What Is BITSAdmin?
BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.
Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.
In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.
Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.
The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.
One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.
Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links.
In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.
Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.
Steve E. Driz, I.S.P., ITCP