This malware is reading your email just 30 minutes after infecting your PC

Qbot is old malware but its operators appreciate efficiency.
Written by Liam Tung, Contributing Writer

Qbot, otherwise known as Qakbot or QuakBot, is an old software threat to Windows users that pre-dates the first iPhone, but it's still being improved for nefarious efficiency.  

The malware emerged in 2007, making it almost an antique in the new service-led ransomware world, but the malware is still nimble and efficient, according to cybersecurity outfit DFIR's analysis of a sample its researchers found in October

Qbot is known for reaching Windows PCs via phishing emails and exploiting bugs in key apps like Microsoft's email client, Outlook. The malware recently gained a module that reads email threads to improve the message's apparent legitimacy to victims. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

The malware's operators rely on clickable phishing messages, including tax payment reminders, job offers, and COVID-19 alerts. It can steal data from Chrome, Edge, email, and online bank passwords. 

DFIR researchers looked at a case where initial access wasn't known but was likely delivered via a tainted Microsoft Excel document that was configured to download malware from a web page and then used a Windows schedule task to get higher level access to the system. 

Qbot's authors have learned to live off the land by utilizing legitimate Microsoft tools. In this case, it used these tools to raid an entire network within 30 minutes of the victim clicking on a link in the Excel sheet. 

"Thirty minutes after initial access, Qbot was observed collecting data from the beachhead host including browser data and emails from Outlook. At around 50 minutes into the infection, the beachhead host copied a Qbot dll to an adjacent workstation, which was then executed by remotely creating a service. Minutes later, the beachhead host did the same thing to another adjacent workstation and then another, and before we knew it, all workstations in the environment were compromised." 

The attack affected PCs on the network but not servers, according to DFIR.

Qbot's operators have branched out to ransomware. Security firm Kaspersky reported that Qbot malware had infected 65% more PCs in the six months to July 2021 compared to last year. Microsoft spotlighted the malware for its modular design that makes it difficult to detect. 

The malware hides malicious processes and creates scheduled tasks to persist on a machine. Once running on an infected device, it uses multiple techniques for lateral movement.

The FBI has warned that Qbot trojans are used to distribute ProLock, a "human-operated ransomware". 

Editorial standards