Researchers at BAE Systems have observed an improved version of the Qbot malware being used in attacks aimed at public institutions in the United States and other countries.
Qbot, also known as Qakbot, is a worm that has been around since 2009. The threat, which includes backdoor capabilities and can automatically spread in a network, is primarily designed to help attackers steal credentials from infected systems.
BAE Systems discovered the improved Qbot in early 2016, when the company was called in by an organization where the malware had infected more than 500 computers and disrupted the operation of critical systems.
Based on information from the attackers’ servers and domain sinkholing statistics, the security firm determined that, over a two week period in early February, a total of more than 54,000 machines from all over the world had been part of the botnet. A majority of the victims (85 percent) were located in the United States, followed by Canada and the United Kingdom.
According to BAE Systems, cybercriminals appear to be primarily using Qbot to target public organizations such as police departments, hospitals and universities. The largest number of victims have been spotted in the academic sector, followed by government and healthcare.
In the attacks monitored by researchers, cybercriminals delivered Qbot via compromised websites that lead to the RIG exploit kit.
The malware’s developers have made several improvements to their creation in order to increase its chances of evading detection, and protect it against analysis attempts. Experts discovered that Qbot protects itself with a fairly sophisticated runtime encryptor, with APIs and strings kept in encrypted blocks and decrypted only when necessary. This ensures that important strings cannot be easily accessed if someone dumps the memory of an infected machine.
In order to avoid running in sandboxes and virtual machines, the malware checks for the presence of various strings typically associated with virtual environments.
Malicious actors have also started leveraging server-based polymorphism to help their creation evade detection. Whenever a sample is retrieved from the command and control (C&C) server, a script patches it with two large blobs of randomly generated data, resulting in a piece of malware with a different hash compared to previously generated samples. This is the first level of polymorphism and the process does not affect the malware’s functionality.
At a second level of polymorphism, the sample is completely recompiled and re-encrypted, which results in a different structure. At this level, the sample’s internal version number is changed and the attackers can assign a new configuration file with different C&C and FTP domains. These new versions are sent out to the bots as updates every six hours.
“The server-based polymorphism used by Qbot allows it to largely avoid AV detection. Typically, out of 55 AV vendors, only a couple of reputable AV vendors are reliably able to detect Qbot – or to be specific, generically detect its external encryptor,” BAE Systems wrote in a report on Qbot. “After a few days, the same sample is normally detected by more than half of the AV engines. However, as the bot normally updates itself with a new version within a day or two, it keeps ahead of this process and remains undetected for long periods.”
The threat moves laterally in an infected network using default shared folders. If these shared locations are password protected, Qbot attempts to access them via a brute-force attack that leverages a long list of common passwords.
Additionally, the worm spreads by stealing network and other potentially useful credentials from the Windows Credential Manager and the password manager in Internet Explorer.
“The actors behind this have been resourceful throughout – using a large number of compromised GoDaddy accounts and a continual registration of Rig landing pages. They have been careful in the re-use of infrastructure and domains, restricting any possible attributes which could reveal additional infrastructure,” researchers said. “Using highly-populated infrastructure is typically considered bad practice, but in this case indicates that the attackers have a well-formed strategic approach and are able to quickly switch to new infrastructure and domains when required.”