pixel_dreams - Fotolia
The incident response team at BAE Systems is warning of a strain of the virulent Qbot malware that has hit thousands of public sector computers around the world.
The malware – also known as the Qakbot botnet – first appeared in 2009 and was uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK.
A modified version of the malware has resurfaced that is believed to have infected more than 54,000 PCs in thousands of organisations around the world and added them to its botnet of compromised machines, with 85% of infections in the US.
The malware is a network-aware worm with backdoor capabilities, primarily designed as a credential harvester and delivered using the Rig exploit kit, according to a whitepaper published by BAE Systems.
An emergency response to a Qbot attack on a public sector organisation has given BAE Systems insight into how the updated malware infects hosts, updates itself and hides from all but a very few antivirus and malware defences.
Following an attack on the organisation in early 2016 that affected more than 500 computers and affected the operation of critical systems, BAE Systems’ analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.
These included a "shape-changing" or polymorphic code, which means that each time the malware’s code is issued by its command and control servers, it is compiled afresh with additional content, making it look like a completely different piece of software.
Read more about malware
- Expert Nick Lewis explains how fileless malware operates and the best ways for security programs to stop it.
- High-profile cloud malware attacks are increasing and enterprises need to understand the threat.
- Cloud synchronisation services can spread malware infection throughout an enterprise.
- Cyber criminals caused substantial losses across Europe by using Tyupkin malware to access ATM cash cassettes.
Malware modifies behaviour
In addition, automated updates to the malware generate different, encrypted versions every six hours, outpacing efforts to update software on customer computers, helping the malware to spread.
The modified Qbot also checks for signs that it is running in a sandbox – a tool used to spot malware before it reaches users’ inboxes – and modifies its behaviour accordingly, to avoid detection.
Sandboxing is widely used as a defence against malicious email content, but the modified version of Qbot shows that malware authors are now going to great lengths to defeat it.
According to BAE Systems, the cyber criminals are mainly using the Qbot malware to target public organisations such as police departments, hospitals and universities.
Due to a combination of detection avoidance and automated infection, the company said there is a risk Qbot will continue to spread unless organisations take steps to protect themselves.
“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks,” said Adrian Nish, head of cyber threat intelligence at BAE Systems.
Criminals trip up over legacy PCs
He said that, in the instance investigated by the company’s incident response team, the cyber criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them, alerting the targeted organisation to the infection.
“This case illustrates that organisations must remain alert to and be able defend against evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly,” said Nish.
The team at BAE Systems worked to understand the malware’s command and control network to work out how stolen data was being uploaded.
In addition, they were able to identify how the programmers altered the destination of the stolen data each time, which is one of the ways in which the attackers can avoid detection and interception.
The introduction of features such as anti-sandboxing, the use of a domain generation algorithm (DGA) to call home and get control instructions and a wider range control commands shows that the authors are evolving Qbot to become a more proactive threat, increasing persistence and polymorphic capabilities over simple active antivirus blocking, the whitepaper said.
Qbot is designed with persistence and mass infection in mind, the BAE Systems analysts said. “As, such we expect that Qbot will continue to be a potent threat over the coming months, facilitated by exploit kits to provide an initial infection, and automated spreading to gain maximum victim count,” they said.