Public institutions targeted with shape changing Qbot malware

A new strain of Qbot, malicious software that steals user credentials and creates backdoors on targeted devices, has infected over 54,000 PCs in thousands of organisations across the world, BAE System experts have found.

Following an attack on a public sector organisation in early 2016 that affected more than 500 computers and impacted the operation of critical systems, the company’s analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.

New and improved Qbot

These included a new ‘shape changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

In addition, automated updates to the malware generated new, encrypted versions every six hours, outpacing efforts to update software on customer computers, which helped the virus to spread.

The new Qbot also checks for signs that it is running in a ‘sandbox’ – a tool used to spot malware before it reaches users’ inboxes. Sandboxing is accepted by many organisations as the de facto defence against malicious email content, and malware authors are now going to great lengths to defeat it.

Professional cyber criminals were found to be specifically targeting public organisations such as police departments, hospitals and universities. BAE Systems’ expert analysis revealed Qbot’s international network of infected machines currently runs to more than 54,000 PCs due to the malware’s ability to spread automatically without any outside instruction. Due to a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

The team worked to understand the malware’s own command and control network to work out how stolen data was being uploaded. In addition, they were able to identify how the programmers altered the destination of the stolen data each time, one of the ways in which the attackers can avoid detection and interception.

“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem,” Adrian Nish, Head of Cyber Threat Intelligence at BAE Systems, explained.

“This case illustrates that organisations must remain alert to, and defend against, new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly.”

More information about the attacks, as well as Indicators of it, can be found in this paper.