QBot, a modular information stealer, has resurfaced following law enforcement actions aimed at its operators. Recent research indicates the use of DNS tunneling in conjunction with Zloader, revealing connections to new backConnect malware that may be utilized in ransomware attacks. Affected: QBot operators, financial institutions, cybersecurity sector
Keypoints :
- QBot, also known as Qakbot or Pinkslipbot, has been active since 2007.
- It originally functioned as a banking Trojan, stealing financial data from infected systems.
- Law enforcement disrupted QBot operations on May 30, 2024, but signs of re-emergence have been observed.
- ZScaler’s research linked DNS tunneling to Zloader, revealing overlaps with QBot.
- New backConnect malware developed by QBot operators may be used in ransomware attacks.
- A YARA rule has been released to help identify and detect the new malware samples.
MITRE Techniques :
- Credential Dumping (T1003): QBot may attempt to extract sensitive information from infected systems.
- Command and Control (T1071): Utilizes C2 servers for payload targeting and execution.
- Data Encrypted for Impact (T1486): The malware may encrypt data to extort victims.
- Exploitation of Remote Services (T1210): Potential exploitation of services for lateral movement.
- Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide its presence and activities.
Indicator of Compromise :
- [SHA256] 22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764
- [SHA256] 98d38282563c1fd09444724eacf5283626aeef36bcb3efa9d7a667db7314d81f
- [URL] vector123[.]xyz/PixelSignal.dll
- [IP Address] 80.66.89.100
- [Registry Key] SoftwareTitanPlus
- Check the article for all found IoCs.
Full Story: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f?source=rss——infosec-5