Connect with us

Hi, what are you looking for?


Malware & Threats

Improved Qbot Worm Targets Public Institutions

Researchers at BAE Systems have observed an improved version of the Qbot malware being used in attacks aimed at public institutions in the United States and other countries.

Researchers at BAE Systems have observed an improved version of the Qbot malware being used in attacks aimed at public institutions in the United States and other countries.

Qbot, also known as Qakbot, is a worm that has been around since 2009. The threat, which includes backdoor capabilities and can automatically spread in a network, is primarily designed to help attackers steal credentials from infected systems.

BAE Systems discovered the improved Qbot in early 2016, when the company was called in by an organization where the malware had infected more than 500 computers and disrupted the operation of critical systems.

Based on information from the attackers’ servers and domain sinkholing statistics, the security firm determined that, over a two week period in early February, a total of more than 54,000 machines from all over the world had been part of the botnet. A majority of the victims (85 percent) were located in the United States, followed by Canada and the United Kingdom.

According to BAE Systems, cybercriminals appear to be primarily using Qbot to target public organizations such as police departments, hospitals and universities. The largest number of victims have been spotted in the academic sector, followed by government and healthcare.

In the attacks monitored by researchers, cybercriminals delivered Qbot via compromised websites that lead to the RIG exploit kit.

The malware’s developers have made several improvements to their creation in order to increase its chances of evading detection, and protect it against analysis attempts. Experts discovered that Qbot protects itself with a fairly sophisticated runtime encryptor, with APIs and strings kept in encrypted blocks and decrypted only when necessary. This ensures that important strings cannot be easily accessed if someone dumps the memory of an infected machine.

Advertisement. Scroll to continue reading.

In order to avoid running in sandboxes and virtual machines, the malware checks for the presence of various strings typically associated with virtual environments.

Malicious actors have also started leveraging server-based polymorphism to help their creation evade detection. Whenever a sample is retrieved from the command and control (C&C) server, a script patches it with two large blobs of randomly generated data, resulting in a piece of malware with a different hash compared to previously generated samples. This is the first level of polymorphism and the process does not affect the malware’s functionality.

At a second level of polymorphism, the sample is completely recompiled and re-encrypted, which results in a different structure. At this level, the sample’s internal version number is changed and the attackers can assign a new configuration file with different C&C and FTP domains. These new versions are sent out to the bots as updates every six hours.

“The server-based polymorphism used by Qbot allows it to largely avoid AV detection. Typically, out of 55 AV vendors, only a couple of reputable AV vendors are reliably able to detect Qbot – or to be specific, generically detect its external encryptor,” BAE Systems wrote in a report on Qbot. “After a few days, the same sample is normally detected by more than half of the AV engines. However, as the bot normally updates itself with a new version within a day or two, it keeps ahead of this process and remains undetected for long periods.”

The threat moves laterally in an infected network using default shared folders. If these shared locations are password protected, Qbot attempts to access them via a brute-force attack that leverages a long list of common passwords.

Additionally, the worm spreads by stealing network and other potentially useful credentials from the Windows Credential Manager and the password manager in Internet Explorer.

“The actors behind this have been resourceful throughout – using a large number of compromised GoDaddy accounts and a continual registration of Rig landing pages. They have been careful in the re-use of infrastructure and domains, restricting any possible attributes which could reveal additional infrastructure,” researchers said. “Using highly-populated infrastructure is typically considered bad practice, but in this case indicates that the attackers have a well-formed strategic approach and are able to quickly switch to new infrastructure and domains when required.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...