| Name | Qbot |
| Additional Names | Qakbot, Pinkslipbot, QuackBot |
| Type of Malware | Banking Trojan |
| Date of Initial Activity | 2008 |
| Associated Groups | TA551, ransomware gangs such as REvil, ProLock, and Lockbit |
| Motivation | Steals financial data, browser information/hooks, keystrokes, credentials, inject ransomware |
| Attack Vectors | Malspam, Exploit kits, Second stage (often dropped by Emotet), Visual Basic script downloaders |
| Targeted System | Windows |
Overview
Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Qbot has been an active threat for over 14 years and continue.
Targets
Targets regular corporate users world wide.
Tools/ Techniques Used
Classified as a banking trojan, worm, and remote access trojan (RAT), Qakbot steals sensitive data and attempts to self-propagate to other systems on the network. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to perform manual attacks to achieve secondary objectives such as scanning the compromised network or injecting ransomware.
As a second-stage exploit kit, Qakbot is introduced to a target’s system by first-stage downloader malware—either as part of the initial exploit or soon after initial access has been gained. Initial access breaches can happen via multiple techniques, such as malspam or email phishing with a trojanized document, exploiting a public-facing vulnerability, or malicious insider attacks. Once operating on a target system, Qakbot seeks to steal credentials and spread to other hosts on the network using Microsoft PowerShell and the Mimikatz exploit kit.
Qakbot uses several techniques to steal sensitive information from victims, including: Monitoring keystrokes and sending the logs to attacker-controlled systems Enumerating system files to identify stored password hashes Searching browser password caches to steal passwords stored using the browser’s autofill feature As a second-stage malware, part of Qakbot’s strategy is stealth.
To avoid detection, Qakbot evaluates a local system environment and will not decrypt its payload or execute in some scenarios, such as when virtualization is detected or when certain security products or Windows Registry keys are present.
This allows Qakbot to conceal its functionality by preventing security researchers from quickly obtaining and analyzing the payload. Another Qakbot stealth strategy is injecting itself (or piggybacking) into legitimate application processes. A new QBot malware campaign dubbed “QakNote” has been observed in the wild in February 2023, using malicious Microsoft OneNote’ .one’ attachments to infect systems with the banking trojan.
Impact / Significant Attacks
After updated versions were made available in 2015, Qakbot gained new momentum; in 2020, threat researchers noted that the release of a novel Qakbot strain resulted in a 465 percent increase in its year-over-year share of cyberattacks.
In 2021, Qakbot was leveraged in the prominent cyber-breach of JBS, which disrupted its meat production facilities and forced an $11 million ransom payment.
