By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
Twilio was hacked: Credentials stolen from Twilio employees.
August 10, 2022
Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe
August 10, 2022
US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash
August 10, 2022
Microsoft: Windows devices on new CPUs can corrupt data
August 10, 2022
Microsoft will improve the security of Edge when working with less popular sites
August 10, 2022
Aa
  • News
  • Security Insider
  • Tutorials
Reading: Qbot operators can steal credentials in as little as 30 minutes
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Security Insider
  • Tutorials
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Qbot operators can steal credentials in as little as 30 minutes
News

Qbot operators can steal credentials in as little as 30 minutes

Last updated: 2022/02/08 at 4:37 PM
Jim Koohyar Biniyaz Published February 8, 2022
Share
SHARE

Qbot performs privilege escalation quickly, and a full scan is completed within ten minutes.

Qbot (also known as Qakbot and QuakBot) malware operators have resumed their attacks to steal sensitive data in as little as 30 minutes. According to a DFIR report, it takes half an hour for attackers to steal browser data and emails from Microsoft Outlook and 50 minutes before they move onto a nearby computer system.

Qbot quickly performs privilege escalation immediately after infecting the system, while a full reconnaissance scan is completed within ten minutes. Initial access is usually through a Microsoft Excel (XLS) document that uses a macro to install a loader DLL on the computer. The payload is then executed to create a scheduled task through the msra.exe process and elevate its privileges to system privileges.

In addition, the malware adds the Qbot DLL to the Windows Defender exclusion list, so it will not be detected when injected into msra.exe.

The malware steals emails within 30 minutes of initial launch, which are then used in further phishing attacks or sold to other attackers. Qbot steals Windows credentials from memory by injecting commands into LSASS (Local Security Authority Server Service) and from web browsers. They are used to navigate the network to other devices.

Qbot travels to all computer systems in the scanned environment, copying the DLL to the next target and remotely creating a service to run it. At the same time, the previous system is cleared, so the attacked device looks normal. Also, services created on new devices have a DeleteFlag setting, which causes them to be deleted when the system is rebooted.

Qbot operators often use some of the compromised systems as first-level proxy points for convenient masking and address rotation, and also use several ports for SSL communication with the command and control server.

Jim Koohyar Biniyaz February 8, 2022
Share this Article
Facebook Twitter Email Copy Link Print
What do you think?
Love0
Happy0
Joy0
Surprise0
Embarrass0
Sad0
Cry0
Angry0
Dead0

You Might Also Like

News

Twilio was hacked: Credentials stolen from Twilio employees.

August 10, 2022
News

Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe

August 10, 2022
News

US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash

August 10, 2022
News

Microsoft: Windows devices on new CPUs can corrupt data

August 10, 2022

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • About Us
  • Contribute
  • Privacy Policy
  • Terms and Conditions

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?