The K2 Intelligence Incident Response Team encountered one of the more recent variants when asked to remediate a client’s infected network. Qbot is notoriously difficult to detect and remove due to its numerous integrated persistence methods and multilayer obfuscation techniques that make it difficult for security researchers to access its core code. However, after working through multiple layers of encryption, K2 Intelligence’s team was able to examine the code and determine how the malware acts. Using that knowledge, K2 Intelligence built a custom removal tool that not only cleans dirty devices, but immunizes them against further infection. The team focused on Qbot’s ability to infect machines and networks and how it maintains its presence.
Below we describe the findings from that investigation and provide details on how Qbot’s operational tactics have changed and what those changes can tell us about the malware’s creators. The new functionalities are primarily aimed at increasing the malware’s ability to infect a variety of systems, improving the quality of the core code and persistence and self-defense capabilities, and widening its geographic target area.
Qbot’s Changes in Detail
Infecting More Systems
While Qbot was originally written for 32-bit environments, this new variant includes the additional capability to infect 64-bit operating systems. This development is worth noting because of the difficulty inherent in adding such functionality. Because Microsoft has designed Windows to separate 64- and 32-bit code as much as possible, a program that can operate in both environments at once requires heavy investment. Combined with some other changes, this addition almost doubled the size of the malware’s code. Given that Qbot’s core functions target internet browsers, its owners likely calculated that making this investment was worth the time and resources to target 64-bit browsers, which are becoming more and more common.
Improving the Code
Whoever controls Qbot has been very tactical about the recent improvements. They have focused on improving the efficiency of the overall code and operations while preserving core legacy code.
When compared with previous iterations where the code was mostly sequential, Qbot’s current structure has become more multithreaded. The ability to run over 100 threads on an average machine now makes Qbot comparable to commercial software. This kind of improvement showcases an increase in development skill level and was likely done to increase the malware’s efficiency; with the improvements in computing that have occurred over the last eight years, running concurrent processes is no longer a threat to the malware’s persistence. Older computers would slow down precipitously if a piece of malware were to run multiple processes at once; today’s computers have an excess of processing power that is not as affected.
In light of the other improvements to efficiency, the section of code that creates random numbers (for use during encryption operations and to check whether or not Qbot is already installed on a machine) appears to have been retained in its original form. As such, this code provides clues as to the evolution of Qbot; unlike the new sections that have recently been added, this code was written by someone who likely had little experience with C (the language in which most of Qbot is written). The structure of this code is inefficient and written more in the structure of someone who is familiar with VisualBasic or Python. Qbot’s managers likely decided that the risk from updating this code would not be worth the effort to change it. Core to any piece of malware is the ability to detect whether or not it is already installed on a machine; running concurrent copies of the same malware on one system dramatically raises the chances that it will be detected. While this code is inefficient, it works as designed.
Added Persistence Capabilities
Qbot’s owners have dedicated large amounts of code to persistence mechanisms, which allow the malware to remain on machines and networks despite attempts to remove it. In total, persistence functionalities account for almost 20% of Qbot’s total file size. To improve Qbot’s persistence capability in the new variant, the malware’s owners added additional functions to detect and analyze its environment. Qbot looks for specific virtualized environments and any installed antivirus (AV) programs in the registry itself, inspecting the list for anything labeled security or antivirus. Qbot’s code also includes instructions for avoiding detection by each of the major AV vendors, including Microsoft, McAfee, AVG, Kaspersky, NOD 32, BitDefender, Avast, and TrendMicro (recently added in the last year). Qbot’s efforts to bypass Windows Defender are particularly robust. If it has the required permissions, Qbot will take Windows Defender completely offline; if it does not, Qbot will add itself to the Windows Defender exclusion list, which allows the malware to run concurrently with Defender and avoid detection by device users.
Additionally, Qbot includes checks to see if the AV is running (not just if it exists on the machine). If it is not running, Qbot does not take any action—at least initially. Whenever it can, Qbot allows other malware (or users’ poor security practices) to disable AV programs and avoids unnecessary use of processing power.
Some of the recent changes to Qbot are aimed primarily at widening its target area. The new version of the code (from the 2017 variant examined by K2 Intelligence) can now process international characters, a signal that Qbot’s managers want to target outside of North America.
The most recent changes to Qbot have not changed its core functionality, but improved the sophistication of the code and added additional capabilities that will allow the malware to target additional systems, persist longer on infected devices, and gather credentials from more websites. Qbot’s owners clearly aim to keep Qbot in the wild—they have invested resources in developing these new capabilities and improving legacy code to make the malware more efficient and effective.
Qbot continues to evolve—a variant found one month is different from a variant found the next, and sometimes differs from variants found days before. Charting these changes allows security managers to gain insight into what might be at risk and track infections on their networks.
For more information on Qbot or assistance with removing an infection, contact K2 Intelligence’s Cyber Team at email@example.com.