Qbot

Qbot, also referred to as QakBot, Pinkslip, or Pinkslipbot, is a banking trojan first identified in 2009 as a worm spreading through network shares and removable storage devices. It downloads files, steals information, and opens a backdoor on the compromised device. It is distributed via drive-by downloads after users visit infected webpages. Qbot then spreads itself through networks by copying itself to shared folders as well as removable drives. It is typically used in highly-targeted campaigns to avoid drawing attention to their operations. It is used by threat actors to obtain sensitive information including:

  • Authentication cookies, including Flash cookies
  • DNS, IP, and hostname details
  • Login details for FTP, IRC, POP3, and IMAP
  • OS and system information
  • Geographic and browser version information
  • Login credentials for specific websites
  • Keystrokes including login information
  • Outlook account information
  • Private keys from system certificates
  • URLs visited

A new wave of attacks in May 2017 used a new version of Qbot that included additional capabilities. This trojan now supports a polymorphic mechanism that allows it to self-mutate as it moves inside a targeted network and an improved self-spreading method using brute-forcing on endpoints connected by the same domain controller. It uses a list of hardcoded credentials to launch dictionary attacks on nearby endpoints; failed authentication attempts trigger the domain controller to lock out the machines where the logins originate. The infected machine is then locked out of its active directory domain. To date, Qbot holds 2 percent of the banking trojan marketplace.

Reporting

  • October 2014: Threat actors infect more than 500,000 systems with Qbot, targeting credentials in the United States. (SC Magazine)
  • April 2016: Qbot reemerges in malware development and deployments. (Cisco Talos)
  • May 2017: Qbot causes massive Active Directory lockout. (IBM)
  • June 2017: McAfee discovered Qbot/Pinkslipbot exploiting infected machines as control servers, developed free tool for detecting and disabling the trojan. (McAfee)

Technical Details

  • Symantec provides technical analysis of the first version of Qbot, here.
  • IBM X-Force provides technical analysis of Qbot, including IOCs, here.