The large-scale spread of the Qbot malware (aka QuakBot or Qakbot) has taken up speed recently, as per the experts, it hardly takes around 30 minutes to steal Sensitive data after the early stage infiltration. The DFIR report suggests that Qbot was executing these fast data-stealing attacks in October 2021, and now it suggests that the hackers have resurfaced with similar strategies. Particularly, researchers believe that it takes around 30 minutes for the threat actors to steal browser info and emails from Outlook and around 50 minutes for the actors to switch to another workstation.
The timeline suggests that Qbot travels fast to execute privilege escalation the moment an infection takes place, and a full-fledged monitoring scan can take up to ten minutes. Entry-level access to Qbot infections is generally obtained via phishing emails with harmful attacks, like Excel (XLS) documents that may use a macro to plant a DLL loader on the victim machine. Taking a look back, we have noticed that Qbot phishing campaigns use different infection file templates. If launched, the Qbot DLL payload is planted and deployed in genuine Windows applications to avoid detection, like Mobsync.exe or MSRA.exe.
For instance, the DFIR report reveals that Qbot was planted into MSRA.exe and then creates a timelined task for privilege escalation.
Besides this, Qbot DLL with the help of malware is added to Microsoft Defender's execution list, to avoid getting identified when planted into MSRA.exe. Qbot can steal mails in 30 minutes after the initial deployment, these mails are used in the future for phishing attacks. Experts observed that Qbot is also capable of stealing Windows credentials by dumping Local Security Authority Server Service (LSASS) process memory and stealing it from different browsers.
The stolen credentials are later used for spreading the malware on other device networks laterally. The malware only took 50 minutes for dumping credentials after its execution. Bleeping Computer reports "Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of its infections accurately.
However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email."
