Qbot malware adapts to live another day … and another …

The Qbot malware operation – which started more than a decade ago as banking trojan only to evolve into a backdoor and a delivery system for ransomware and other threats – continues to deftly adapt its techniques to stay ahead of security pros, according to a new report.

Most recently, the operators behind Qbot – also known as Qakbot and Pinkslipbot – this year have shown new methods for delivering malware and a highly adaptable command-and-control (C2) infrastructure, with a quarter of those used being active for only a day, researchers with Lumen’s Black Lotus Labs threat intelligence group write.

The new delivery methods in part were necessary after Microsoft last year blocked internet-sourced macros by default for Office users.

Such flexibility and speed of change have enabled Russia-linked Qbot to continue its malicious practices since it first was detected in 2007.

“Qakbot has persevered by adopting a field-expedient approach to build and develop its architecture,” the researchers write. “While it may not rely on sheer numbers like Emotet, it demonstrates technical craft by varying initial access methods and maintaining a resilient yet evasive residential C2 architecture.”

The malware most often gets onto a system via spear-phishing emails carrying files with malicious code or embedded URLs that lead to fraudulent documents.

Bye-bye Microsoft macros

Microsoft shutting down Visual Basic for Applications (VBA) and XL4 macros by default caused many miscreants to have to scramble to find other means to exploit Office documents. A recent Proofpoint report [PDF] found the number of malware campaigns that used the macros fell by 66 percent in 2022 and essentially disappeared this year.

Qbot operators often will slow the spamming attacks at times to retool the malware before resuming their activities. That happened last year after Microsoft’s macro actions, with Qbot going quiet before ramping up at the end of 2022.

The operators came out this year with new initial access techniques for their phishing campaigns, including malicious OneNote files, Mark of the Web evasion, and HTML smuggling, according to Black Lotus Labs, which used telemetry from Lumen’s global IP backbone to track Qbot’s activity.

The researchers found that spikes in Qbot’s bot recruitment dovetailed with the introduction of new entry techniques.

“We see the highest peaks of bot recruitment, indicating likely successful spamming campaigns, during the January and February 2023 OneNote campaigns, then in the March HTML Smuggling campaign,” they write. “It’s likely that OneNote-based exploitation became less effective at obtaining new bots because of the ease with which defenders can block OneNote on mail servers.”

The short life of a Qbot C2

The C2 servers are another area of adaptation by Qbot. The operators are hiding the C2s in compromised web servers and hosts that are in an existing residential IP space – an IP address assigned by an internet service provider to an internet user to be used in a residential area – rather than a hosted virtual private server (VPS).

It’s difficult to maintain the persistence of these C2s, so they don’t stay around long. That said, the Qbot operators can quickly replenish them, with 70 to 90 new C2s spinning up over a given seven-day period during the botnet spamming cycle.

They can maintain the number of C2 servers despite the rapid turnover, the researchers write. After the first day a system is infected, a bot transmits to the C2 about half of all the stolen data it will send, with that jumping to 90 percent by day seven.

“This indicates that, once a victim is infected, the operators get what they need posthaste, loading additional malware at will,” they write. “The actors can then use the bot for other nefarious purposes or sell it off to other actors.”

Converting bots into C2s

That includes converting the bot to C2 servers, which helps Qbot operators evade network defenses by reducing the ability of static blocking that relies on indications of compromise (IOCs) by continuously turning over the address of the C2 control points. The notorious Emotet malware also pulls this trick.

Turning bots into C2s is key to Qbot’s operations. While more than 25 percent of C2s are active for only a day, half don’t make it a week. They need the converted bots to replenish the supply of C2 servers, which themselves communicate with Tier 2 C2 nodes hosted on VPS providers that often are beyond the reach of non-Russian law enforcement.

There also is a separate server – which Black Lotus Labs calls a backconnect server – whose full role in the operation is unclear but which only communicates with the bots and can turn them into proxies to be sold or used for other malicious jobs.

Qbot has a long history of adapting its operations to the ever-evolving cybersecurity landscape and that is likely to continue.

“There are currently no signs of Qakbot slowing down,” the Black Lotus Labs researchers write. ®