Qbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a banking Trojan and stealer malware that has been in circulation for over a decade. It is typically delivered through phishing techniques to get users to open malicious attachments or to lure victims onto phony websites that use exploits to execute Qbot onto a victim’s machine.
Once it has established a foothold, Qbot can employ a wide array of malicious behavior, including keylogging, cookie exfiltration, and process hooking. It has also been used to drop backdoors onto compromised systems, as well as deliver wider-reaching, targeted ransomware attacks against banking networks.
Qbot malware is modular, and its exact composition has varied substantially since it was first discovered over a decade ago. Although it began strictly as a banking trojan, it has since evolved to become a “Swiss army knife” for cybercriminals, and is frequently loaded with specific functionality tailored to accomplish particular goals.
Qbot variants have even been distributed by other loaders such as Emotet as part of large-scale malspam campaigns. Some common modules that have been included in recent iterations of Qbot include email collectors used to steal email threads from Microsoft Outlook, hooking modules to inject phony web forms into browsing sessions, dedicated password stealers, cookie grabbers, and plug-ins that facilitate the opening of remote desktop sessions on the victim’s computer.
Upon its initial execution (generally when a victim opens a Word document with an embedded VBA macro that arrives as part of a targeted phishing attack), Qbot attempts to evade detection by performing multiple checks for the existence of virtual machines or malware sandboxes. It will then typically sleep for a randomized amount of time (another commonly-employed context-aware evasion technique).
When Qbot wakes, it initializes a secondary execution by installing itself into the application folder’s default location, and then making a copy of itself in the registry key HKCU\Software\ Microsoft\Windows\CurrentVersion\Run to ensure its persistence after the system reboots. Qbot then executes the copy of itself in the default application location, and replaces the file that was originally infected with a legitimate one. Finally, Qbot creates an explorer.exe process that functions to update Qbot periodically from a remote command-and-control server and execute malicious modules.