Qbot (also known as Qakbot) is a notorious, widely spreading first stage malware, which is usually spread via malspam campaigns. Targeted victims receive mail with a malicious attachment that when opened, drops and executes a DLL using the legitimate Windows binary, regsvr32. A great early analysis of Qbot has already been published by Hornet Security, therefore we will limit the scope of this overview to the evasion techniques that article left unexplored.

 

In the sample we’ve  analyzed, the malware checks if the path of the malicious DLL contains any of the strings below:

 

qbox samples strings

 

The binary employs another unique evasion technique by verifying that the user name and computer name of the current computer is not the combination ”Virtual” and “VIRTUAL-PC”, with the former being the username. If any of these indicators are found, Qbot will not infect the machine.

Lastly, before injecting itself into another process, Qbot will copy ntdll into the %temp% directory and reload it. This is a common technique used by malware authors who want to evade a security product’s hooking mechanism.

As reported by Hornet Security, Qbot is used by the Egregor ransomware gang to achieve an initial foothold in an organization. A higher level of sophistication in the evasiveness techniques of this bot could lead to more enterprises being locked by this nefarious group. Considering the space left by emotet’s demise, Qbot is a prime candidate to fill the malspam vacancy.

Minerva Labs prevents Qbot with our Hostile Environment Simulation module, by using the malware’s code against it:

Minerva stops qbot

 

IOCs:

Hashes:

0ead31723c84575446f6f8f5418b8f6259eef660ecfa114730f80062e1486351 (packed DLL)

5e9f49b4dc99ad10057b18a2946fef0eef923b8034353201cd4e59c4978de0a1 (unpacked DLL)

 

If you would like to learn more about protecting your organization from malware and ransomware, contact us now.