The creators of Qbot have released a new version of the Windows malware, placing the bootloader and the bot into a single dll file. The banking Trojan also received a new defense mechanism that allows it to start before shutting down the PC and automatically remove traces of its presence when the system is rebooted or when it wakes up from sleep mode.
Qbot Malware History
The polymorphic malware Qbot , also known as Qakbot, Quakbot and Pinkslipbot, has been around since at least 2009. He is able to steal bank details, credentials and personal data, register keyboard input. The Trojan is also able to open a backdoor on infected machines and spread itself over the network.
New Version of Qbot Malware Analysis
A new version of Qbot was discovered late last month by researchers from Binary Defense. It spread through spam emails with a malicious link or an Excel file attachment with a malicious macro.
Analysis conducted by Binary Defense revealed functionality that allows the malware to more effectively evade detection. The updated Qbot closely monitors Windows power status messages (WM_POWERBROADCAST) by capturing events such as Shutdown, Suspend, and Resume (shutdown, hibernation, wakeup) and manipulates the run registry key.
Qbot Malware with Trojan Behavior
Using this key, the Trojan registers itself to autorun the system before turning off the power or going into sleep mode and tries to delete this entry when the system boots up or when it wakes up after a long idle time. These tricks, according to experts, can increase the secrecy of the presence of Qbot on the infected machine. The key to success in this case is the speed of entering the run key and removing it from the system registry.
Qbot Malware Methods are Similar to Banking Trojans
The new malware tactics are so effective that some researchers even initially thought that Qbot had lost its former tenacity after the update. The Binary Defense blog post also notes that this concealment method is not new; it was once used by other banking Trojans – Gozi and Dridex.