Qbot, also known as “Qakbot” or “Pinkslipbot,” is a banking trojan that has been active since at least 2007, focusing on stealing user data and banking credentials. Over time, the malware has evolved to include new delivery mechanisms, command and control (C2) techniques, and anti-analysis features. Qbot infections typically stem from phishing campaigns. While some campaigns deliver Qbot directly, throughout 2020 we observed Qbot delivered as a secondary payload to other prominent malware such as Emotet.
In addition to data and credential theft, Qbot has the ability to move laterally within an environment. Left unchecked, widespread Qbot infections throughout an enterprise eventually lead to ransomware. Different ransomware families have been observed alongside Qbot, with ProLock being a common occurrence in early 2020, followed by a much more prolific outbreak of Egregor ransomware as a Qbot follow-on later in the year. For these reasons, it is imperative to respond quickly when Qbot gains a foothold in your environment.
Qbot presents several opportunities for detection, and while it is actively developed and TTPs have changed over the years, some things remain the same. One of these consistent patterns is the staging folder for the malware. Historically, Qbot installed itself as a randomly named EXE into a randomly named subdirectory of
AppData\Microsoft. However, during the latter half of 2020, Qbot switched to using a DLL instead of an EXE. The use of a DLL provides more flexibility for defense evasion through Signed Binary Proxy Execution using Regsvr32 or Rundll32.
Along with the change to using a DLL, Qbot also changed where it stores configuration information on the infected host. Earlier versions of Qbot stored this data within a DAT file in the same randomly named folder as the malicious binary. As of late 2020, this data is now stored in the registry, under a randomly named subkey under
HKCU\Software\Microsoft. While this move to the registry keeps things a bit more hidden from prying eyes, in both cases the presence of a randomly named value under the Microsoft folder/key should be cause to investigate. Baselining the normal values in these locations and alerting on anomalies can be a fruitful way to identify Qbot, as well as other Microsoft-masquerading malware attempting to hide out in these places.
Over a decade of development and in-the-wild observation, many researchers have studied and reported on Qbot’s evolving TTPs, including Binary Defense and Fortinet.