May 6, 2019 By David Bisson 2 min read

Security researchers observed recent Qbot attack campaigns using a new persistence mechanism that helps the banking Trojan avoid detection.

In early April, Cisco Talos observed a new Qbot campaign that infected users’ machines with a dropper. The campaign used the infected machine to create a scheduled task that executed a JavaScript downloader. This asset, in turn, made a request from one of several hijacked domains.

Specifically, the downloader requested the uniform resource identifier (URI) /datacollectionservice[.]php3 from the domains, which were XOR-encrypted at the beginning of the JavaScript. A successful communication attempt yielded obfuscated data that the campaign saved in two files: the first 1,000 characters in (randalpha)_1.zzz and the remainder in (randalpha)_2.zzz.

At that point, the campaign created a scheduled task designed to execute a batch file. This process used the two .zzz files to assemble a Qbot executable before deleting them. Finally, the campaign ran the malware payload, enabling it to target financial information on the infected machine.

Tracing the Attack Trail of Qbot

Qbot has gotten up to all kinds of trouble over the past few years. Back in 2017, IBM X-Force observed a campaign in which the malware (also known as Qakbot) locked hundreds of thousands of Active Directory users out of their company’s domain, preventing them from accessing their employer’s servers or network assets.

Fast-forward to 2019: In March, Varonis spotted an operation leveraging a new variant of the malware that compromised and took over thousands of victims around the world. That same month, the SANS Internet Storm Center (ISC) discovered a malspam campaign in which Emotet served up Qbot as its follow-up payload.

Use UEM and AI to Defend Against Sophisticated Malware

Security professionals can help their organizations defend against sophisticated malware like Qbot by using a unified endpoint management (UEM) solution to monitor how devices report to the environment and take the necessary precautions if anything appears to be malicious in nature. Organizations should also consider enlisting the help of artificial intelligence (AI) to help fill the defense gaps created by rule-based security tools.

More from

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today