A new version of Qbot malware now activates its persistence mechanism just before infected Windows devices shut down and automatically removes any traces when the system is rebooted or wakes up from sleep mode.
Qbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a Windows banking Trojan with active worm functions since at least 2009 and used to steal banking credentials, personal information, and financial data.
The malware has also been used to log users' keystrokes, to open back doors on compromised computers, and to implement Cobalt Strike beacons used by ransomware operators to deliver ProLock and Egregor ransomware payloads.
In recent campaigns, Qbot victims have been infected via phishing emails with Excel document attachments posing as DocuSign documents.
Switch to a more stealthy persistence mechanism
As of November 24, when Binary Defense threat researcher James Quinn says the new version of Qbot was detected, the malware is using a newer and more stealthy persistence mechanism that takes advantage of system shutdown and resumes messages to toggle persistence on infected devices.
This tactic is so successful that some researchers had previously thought that the Qbot Trojan had completely removed this persistence mechanism.
“While initial reports from other researchers had stated that the Execute key persistence mechanism was removed in the new version of Qakbot, it was instead added to a more stealthy and interesting persistence mechanism that listens for shutdown messages from the system, along with PowerBroadcast Suspend / Resume messages, ”explains Quinn.
The Trojan will add a registry execution key on infected systems that allows it to automatically start when logging into the system and will try to remove it immediately once the user turns on or wakes the computer from sleep mode to evade detection of anti-solutions. -malware or security researchers.
What makes this technique stealthy is the perfect timing used by the Qbot developers to inject the key into the Windows registry.
The malware will only add the Run key before the system sleeps or shuts down, but it will do so so close to it that "security products don't have a chance to detect and report the new run key."
Then Qbot will try to remove the persistence key multiple times once it is started again when activating or logging in the system.
However, because the key value name is randomly generated on each infected system, Qbot will try to "kill any execution key with matching value data" with its path.
While this method of gaining persistence is new to Qbot, other malware have used similar techniques to evade detection in the past, including the Gozi and Dridex banking Trojans.
“It seems that the two malware families have a similar mechanism, as both are listening for WM_QUERYENDSESSION and WM_ENDSESSION messages to detect when the user logs out, but the new version of Qakbot goes further by also looking for power events like WM_POWERBROADCAST and PBT_APMSUSPEND to install its hooks when the system is suspended as well, ”Binary Defense Threat Team Senior Director Randy Pargman told BleepingComputer.
Installation and configuration changes
The Qbot installation technique has also been updated in this new version as it uses a new DLL architecture that combines the malware loader and the bot into a single DLL.
Previously, the loader evaded detection by automated malware sandboxes by storing all malicious code in a separate DllRegisterServer component and only calling it via regsvr32.exe o rundll32.exe when certain command line arguments were used.
The new version simplifies this technique by removing command line arguments from the process and changing the injection of bot code into newly created processes.
“By removing command line switches and scan checks through creating a new process (while keeping many of the anti-scan / anti-sandbox checks), the new loader install mechanism only happens after the bot has been injected into explorer.exe, ”Quinn adds.
Qbot has also switched to a new encrypted setting in the registry for the .dat settings and log files previously stored on the compromised computers of the victims.