This new persistent and difficult-to-detect Qbot version is designed to steal financial information.
The decade-old Qbot financial malware has resurfaced with an improved version in a new attack against businesses that has infected thousands of systems so far. Researchers from data security solutions provider Varonis have uncovered the attack after a customer alerted them about suspicious activity on a computer. The culprit turned out to be an infection with a new strain of Qbot, also known as Qakbot, that was trying to spread to other systems on the network.
Qbot is one of the most successful malware families of the past decade, in part because its source code is available to cybercriminals, so it can be easily modified and extended. The malicious program started out as a Trojan designed to steal online banking credentials, but has received many improvements over the years.
Qbot interestingly is a semi-polymorphic threat because its command-and-control servers re-scramble the code and configuration periodically to evade signature-based antivirus detection. The threat also has worm-like capabilities that allow it to move laterally through corporate networks by brute-forcing Windows domain credentials.