QBot is a Trojan, also known as QakBot, which has been active for years. It was originally known as a financial malware designed to target governments and businesses for financial fraud by stealing user credentials and keystrokes. It was observed by threat researchers at the time that it was delivered through phishing campaigns, or by another malware, such as Emotet.
FortiGuard Labs recently captured an MS Office Word document in the wild that was spreading a variant of QBot. Normally, such Word documents are only delivered in a phishing email designed to deceive the victim into opening it. Unfortunately, we only captured the Word file, so we do not know how it is being delivered.
I performed a deep analysis on this sample file. QBot uses complicated techniques and a framework designed for it to run covertly on a victim’s system. In this post, I will explain how it works on a victim’s machine, as well as what techniques it uses.