QBot Malware, Dozen Years Wreaking Havoc In the Wild

For decades now, security experts have advised the public never open attachments coming from emails from unverified sources. Unfortunately, this sane reminder has been ignored by many users as long as email systems first became a communication tool in the 1970s. Fast forward in this year 2019, malware infection due to opening attachments in emails is still a thing. That is 40-years of effective virus infiltration in both individual and corporate networks due to a simple persistence of users that never learned their lesson, continuing to open malicious attachments.

This same bad habit is the reason why Qbot malware is wreaking havoc today in the wild. Qbot is a 12-year old banking trojan, which still uses an old version of Visual Basic script all these years. Using the tried and tested formula of being part of an email attachment and the capability to morph itself into a new signature (hence bypasses signature-based virus detection). It targets Active Directory-based Windows workstations, brute forcing its way to logging-in using AD accounts it detects from the Domain Controller.

The new version of QBot in the wild is still using the old methodology of infecting Windows machines, like the default use of hidden .vbs file by masquerading as a .doc file (Windows still by default hides the original filename extension). Visual Basic scripts are still automatically run by Windows without warning when double-clicked, as Windows Scripting host built-in Windows since Windows 98 still behaves the same way as the version installed with Windows 10.

Once the VB script runs, it disables the known antivirus products such as TrendMicro, Malwarebytes, Kaspersky and even Windows Defender (the built-in Windows Antivirus). The latest edition of the QBot malware is its Powershell awareness, it takes advantage of Powershell to issue commands in order to further propagate itself into the system deep into the Windows directory structure.

“The loader, which executes the core malware, has multiple versions and is constantly updating even after execution The malware is going to copy itself to different places on the infected devices and will continue running and operating. If it can’t send information it will be stored and encrypted on the device. We were able to find log files containing the victim IPs, operating system details, and antivirus product names. The C2 server revealed past activities, as well as what appears to be additional malware versions,” explained Snir Ben Shimol, Director of Cybersecurity at Varonis, a data security and analytics company.

According to Varonis, the majority of the infected machines they saw was using Windows Defender. It shows how vulnerable Windows 10 is in its default configuration, given that Windows Defender is turned on by default, but it is countered by Windows Scripting Host and Powershell both being available as default as well. The virus authors behind QBot are targeting Windows computer users from the United States and the United Kingdom. There is no indication that there are massive infection rates in regions outside North America and Europe.

To lessen the chance that it will impact users, system administrators are advised to turn-off Windows Scripting Hosts and Powershell on workstations and servers if not needed. This will cause the malware not to operate on the Windows machines as intended by its authors.