[MART] - Daily Diary #449 - QBot Uses Quick Attack
CTAS-MAT
ctas-mat at appgate.com
Wed Feb 9 21:03:42 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
02/09/2022 - Diary entry #449
In our Daily Diaries #104, #147 and #169, we discussed QBot (a.k.a QakBot), a multi-purpose malware active since 2009. QBot started as a simple stealer malware, but evolved with Banking capabilities. More recent versions improved QakBot capabilities, making it able to spread through the network and steal a variety of information from the infected device.
Recent reports revealed that QakBot operations are adopting a different Modus Operandi, making their operations as quicker as they can. According to those reports, it takes less than 30 minutes for QakBot to infect a system and steal e-mail and browser data, and 20 more to jump to their next victims.
Qakbot infection vector is usually Office documents with malicious macros spread through spam e-mails. After infecting a device, it creates a scheduled task through 'msra.exe' process to escalate privileges to the SYSTEM user. The privileged process injects a DLL into LSASS.exe process and web-browsers to steal user credentials. Those are used in their lateral movement phase, dropping a file and scheduling a system task through the network.
Most of botnets and ransomware operations nowadays focus on spreading slowly and keep hidden in the system as long as they can, so they can affect as many devices as possible. This Qakbot behavior allows the threat to be less exposed to security solutions. Running for less time it decreases the chance of being detected by Anti Virus scans, and leaves less traces in the system and in the network, with the downside of affecting fewer devices.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Security Researcher
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220209/88f90ccf/attachment.htm>
More information about the MART
mailing list