Security News

Qbot Infostealer Trojan (Oct 15, 2010)

By

SonicWALL UTM Research team observed reports of a new Qbot Infostealer Trojan variant being spammed in the wild via e-mail. The e-mail pretends to contain pictures of the sender and lures the user into opening them. The attachment is an executable file (pic.exe) and leads to compromise of confidential information.

The e-mail message looks like below:

screenshot

Most e-mail clients with default security settings will block the attachment by default as it is an executable file. However, if the user manages to open the attached file then it will perform following activities:

  • Steals confidential information from victim machine including E-mail account credentials, Various website credentials, and confidential information stored in cookies. It stores the confidential information in encrypted format.
  • Blocks Antivirus updates as well as Google updates on the victim machine
  • Connects to a compromised domain going-wide.net and downloads newer variant of itself which was saved as:
    • (Temp)ky95.tmp.exe [Detected as GAV: Qbot.RP (Trojan)]
  • Drops following files on the victim machine:
    • (WINDOWS)system32 a.dll
    • (WINDOWS)system32 d.dll
    • (WINDOWS)system32 kkkkkkk
    • (WINDOWS)system32 n.dll
    • (WINDOWS)system32 ntcore.dll
    • (WINDOWS)system32 o.dll
    • (WINDOWS)system32 p.dll
    • It patches the following system file:
      • (WINDOWS)system32ole32.dll
    • Sample request that it uses to send confidential system information:

      screenshot

    • Sample runtime activity log from infected system:

      screenshot

    SonicWALL Gateway AntiVirus provides protection against this Information stealing Trojan variant via GAV: Qbot.RP (Trojan) signature.

    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Hog ransomware decrypts victims who join their Discord server spreading in the wild
ZBot IRS spam targeting Tax period (Mar 26, 2010)
MySQL Denial of Service Vulnerabilities (Sep 9, 2010)
SolarWinds Orion Vulnerability
Cross-Site Scripting in Apple CUPS Web Interface
ENC Ransomware actively spreading in the wild
Remote Desktop Software (Aug 15, 2008)
Runsomeaware ransomware as a service actively spreading in the wild