Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Varonis Uncovers Another New Strain of the Qbot Banking Malware

Varonis has discovered and reverse engineered another new strain of Qbot, a sophisticated, well-known type of malware that collects sensitive data, such as browser cookies, digital certificate information, keystrokes, credentials, and session data from its victims to commit financial fraud.
Dolev Taler
2 min read
Published January 27, 2020
Last updated January 17, 2023

We have discovered and reverse engineered another new strain of Qbot, a sophisticated, well-known type of malware that collects sensitive data, such as browser cookies, digital certificate information, keystrokes, credentials, and session data from its victims to commit financial fraud.

Varonis Security Research and Forensics teams responded to several Qbot infections in 2019, mostly in the US. The threat actors appear to have been busy: they’ve been creating new strains with new functionality as well as improving their SecOps capabilities.

Want to learn ransomware basics and earn a CPE credit? Try our free course.

“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

We detailed an earlier strain of Qbot and discussed its TTP (tactics, techniques & procedures); this strain differs in two main aspects:

  • Instead of brute-forcing domain user passwords, the strain uses the compromised user to map available network shares.
  • This strain sends victim data to an FTP server instead of using HTTP POST requests.

Discovery

One of our customers reached out after receiving an alert from the Varonis Data Security Platform that a user’s account had deviated from its behavioral baseline and accessed an atypical number of network devices. The customer then looked at AV logs from the suspected device and noticed unhandled infected file alerts from around the same time.

The unhandled files were in the user’s temp folder and had .vbs and .zip extensions. Varonis Forensics team helped the customer extract the malicious file samples; our research team analyzed them and discovered the new Qbot variant.

How It Works

We ran the infected file in our lab environment and found similar indicators to those in our prior Qbot investigation – injection to the “explorer.exe” process, connection to the same remote URLs, same registry and disk persistence methods and same replacement of disk evidence with “calc.exe” file.

This strain contained an encrypted configuration file, misleadingly labeled with a “.dll” file extension. Using dynamic analysis of the explorer.exe process, we determined that the key for the RC4-encrypted configuration file is the SHA1 hash of a unique string the malware creates for each device (we know it is not random because the previous Qbot variant chose the same string for the same device).

This is the configuration data we decrypted for our device:

Qbot II Configuration Data

The configuration data contains:

  • Time of installation
  • Last call time from C2
  • The external victim IP address
  • List of network shares on the victim environment

Phase I – Dropper

File names:  JVC_82633.vbs

SHA1: f38ed9fec9fe4e6451645724852aa2da9fce1be9

Much like the previous version, this version of Qbot also used a VBS file to download the main modules of the malware.

Phase II – Persistency and process injection

Like our previous sample, the loader executes the core malware modules and gains persistence. This version copies itself to %Appdata%\Roaming\Microsoft\{Randomized String} instead of %Appdata%\Roaming\{Randomized String}, but the registry values and task scheduler routines were the same.

The main payload is injected into all the active processes under the user.

Phase III – Data exfiltration: into the attacker’s server

After establishing persistence, the malware tries to connect to its C2 server in the URI content.bigflimz.com. This version collects sensitive data from the victim’s machine, encrypts it and sends it over FTP to a server using hard-coded credentials.

This server contains encrypted files collected from victims, with a naming convention that follows “artic1e-*6 characters followed by 6 numbers*-*time in epoch standard*.zip”.

We logged into the FTP server, revealing this directory:

Qbot II FTP Server

Qbot II FTP Server

We have not yet managed to decrypt the zip files to determine what information the attacker exfiltrated.

Remediation & Recovery

As we found that only one device was infected, our remediation recommendations were:

  • Disconnect the infected device from the network and wipe the drive.
  • Add the IOCs to other security solutions to make sure no other device has any infected files or creates connections with the malicious IP addresses etc.
  • Pay close attention to future Varonis alerts, especially those related to abnormal amounts of device access.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

securityrwd---introduction-to-aws-simple-storage-service-(s3)
SecurityRWD - Introduction to AWS Simple Storage Service (S3)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services S3 to traditional on-prem storage systems. Listen in as the team discusses how AWS S3 goes beyond basic data storage, and enables programmatic access to apps and services inside and outside the AWS environment.
varonis-enhances-github-security-offering-with-secrets-discovery-and-data-classification
Varonis Enhances GitHub Security Offering With Secrets Discovery and Data Classification
Varonis is extending our world-class data classification capabilities to discover secrets, keys, and other sensitive data embedded in your GitHub repositories and source code. 
securityrwd---salesforce-as-a-file-server?-you-bet.
SecurityRWD - Salesforce as a file server? You bet.
Did you know Salesforce isn't limited to just, well, sales? This leading CRM platform can function as a data repository for critical industries ranging from healthcare to finance. Listen in as Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team share their reasoning for thinking about Salesforce as a data store, and tell you what you should consider if tasked with securing it.
varonis-adds-data-classification-support-for-amazon-s3
Varonis Adds Data Classification Support for Amazon S3
Varonis bolsters cloud security offering with data classification for Amazon S3.