Qbot, the malware that spreads rapidly, also known as Qakbot or QuakBot, has recently returned to light-speed attacks.
This malware can steal sensitive data after the initial infection to begin stealing information from the victim in only about 30 mins.
Qbot has recently returned to its lightning-fast attacks, with the malware stealing emails and credentials.
In October 2021, according to a new report by the Department of Homeland Security and Intelligence, Qbot was engaged in data-snatching operations.
With its recent return, it is now believed that the threat actors responsible for the previous attacks of Qbot have reverted to their previous modus.
According to analysts, it takes half an hour for hackers to steal browser data and emails from Outlook, and it takes less than an hour for them to move to an adjacent workstation after they have stolen the data.
Due to the memory using injections of the LSASS (Local Security Authority Server Service) and from web browsers using the LSASS injections, Qbot makes it possible to steal Windows credentials.
Initiated on average fifty minutes after the initial execution of the program, these are used to facilitate lateral movement to other devices on the network.
Qbot Malware
It is also reported that Qbot has also been used to breach corporate networks by cybercriminal groups demanding ransom, including the REvil, Egregor, ProLock, PwndLocker, and MegaCortex strain.
The Qbot (also known as QuakBot or Qakbot) malware family has evolved into a widely distributed Windows malware family over the past few years. It allows threat actors to steal bank credentials and Windows domain credentials, infect other computers and provide remote access to ransomware gangs.
The employment of various enticing lures, such as bogus invoices, payment, banking information, scanned documents, or invoices, is usually the root cause of victims being affected by the virus.
Victims are typically infected with Qbot due to another malware infection or as a result of phishing campaigns.
To assist defenders in preventing intrusions into and movement through a Qbot compromised environment, it is critical for them to understand how threat actors infiltrate and move in a Qbot compromised environment.
Read Also: Afraid Data Brokers Are Selling Your Personal Information? This 1 Tool Prevents It From Happening
How Qbot Infect Devices
Bleeping Computer reported that an Excel (XLS) document that contains a macro that drops the DLL loader on the target machine is typically used to gain initial access to the target machine.
Afterward, this payload executes in order to elevate itself to the level of system privileges and create a scheduled task through the msra.exe process.
Aside from that, when msra.exe is infected, the malware adds the Qbot DLL to the Microsoft Defender exclusion list, ensuring that it is not detected when injection into the process occurs.
Following the malware's initial execution, it steals emails that are then used for replay-chain phishing attacks and sold to other threat actors within half an hour.
After scanning the environment, Qbot moves laterally to all workstations in the environment by copying a DLL to the next target and remotely creating a service to execute it.
Simultaneously, the previous infection is removed, resulting in the disinfection and restoration of the machine that had its credentials stolen just moments before.
The services created on the new workstations also contain the 'DeleteFlag' parameter, which indicates that they will be removed when the system is rebooted, as previously stated.
