QBot, also known as Qakbot or Pinkslipbot, is a modular information stealer that has been active since 2007, primarily targeting financial data. Recent law enforcement actions have disrupted its operations, but signs of a resurgence have emerged. Research indicates the involvement of QBot operators in new malware activities, including the use of DNS tunneling and backConnect malware. Affected: QBot, Zloader, BlackBasta
Keypoints :
- QBot is a modular information stealer active since 2007.
- It has historically been recognized as a banking Trojan and a loader.
- On May 30, 2024, law enforcement disrupted QBot operations.
- Research from ZScaler highlights the addition of DNS tunneling to Zloader.
- New backConnect malware has been developed by QBot operators.
- Evidence suggests a connection between Zloader activity and BlackBasta ransomware.
- A YARA rule has been released to help identify new malware samples.
MITRE Techniques :
- Credential Dumping (T1003): QBot steals financial data from infected systems.
- Command and Control (T1071): Utilizes C2 servers for payload targeting and execution.
- Data Encrypted for Impact (T1486): Employs encryption methods to protect malicious payloads.
- Exploitation of Remote Services (T1210): Uses backConnect malware to exploit remote services.
- Obfuscated Files or Information (T1027): Implements obfuscation techniques to hide malicious activities.
Indicator of Compromise :
- [file hash] SHA256: 22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764
- [file hash] SHA256: 98d38282563c1fd09444724eacf5283626aeef36bcb3efa9d7a667db7314d81f
- [file hash] SHA256: c8bddb338404a289ac3a9d6781d139314fab575eb0e6dd3f8e8c37410987e4de
- [url] vector123[.]xyz/PixelSignal.dll
- [ip address] 80.66.89[.]100
- Check the article for all found IoCs.
Full Story: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f