Qbot performs privilege escalation quickly, and a full scan is completed within ten minutes.
Qbot (also known as Qakbot and QuakBot) malware operators have resumed their attacks to steal sensitive data in as little as 30 minutes. According to a DFIR report, it takes half an hour for attackers to steal browser data and emails from Microsoft Outlook and 50 minutes before they move onto a nearby computer system.
Qbot quickly performs privilege escalation immediately after infecting the system, while a full reconnaissance scan is completed within ten minutes. Initial access is usually through a Microsoft Excel (XLS) document that uses a macro to install a loader DLL on the computer. The payload is then executed to create a scheduled task through the msra.exe process and elevate its privileges to system privileges.
In addition, the malware adds the Qbot DLL to the Windows Defender exclusion list, so it will not be detected when injected into msra.exe.
The malware steals emails within 30 minutes of initial launch, which are then used in further phishing attacks or sold to other attackers. Qbot steals Windows credentials from memory by injecting commands into LSASS (Local Security Authority Server Service) and from web browsers. They are used to navigate the network to other devices.
Qbot travels to all computer systems in the scanned environment, copying the DLL to the next target and remotely creating a service to run it. At the same time, the previous system is cleared, so the attacked device looks normal. Also, services created on new devices have a DeleteFlag setting, which causes them to be deleted when the system is rebooted.
Qbot operators often use some of the compromised systems as first-level proxy points for convenient masking and address rotation, and also use several ports for SSL communication with the command and control server.