|
Tweet Follow @spamhaus |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() Update for Composite Blocklist (CBL) Users Suspicious network resurrections Spamhaus Botnet Threat Update: Q2-2020 Tracking Qbot Spamhaus Botnet Threat Update: Q1-2020 The Current State of Domain Hijacking, and a specific look at the ongoing issues at GoDaddy It was the best of times, it was the worst of times Weaponizing Domain Names: how bulk registration aids global spam campaigns Older News Articles: ![]() ![]() |
What is Qbot?Qbot (aka Quakbot or Qakbot), is a piece of malware originally designed to enable bad actors to conduct financial fraud. This was done by intercepting traffic to the online banking systems of various banking institutions. Lately, it has been updated with worm-like features to help it spread laterally. This update has also broadened its credential-stealing tactics to include retrieving credentials from websites that are not related to online banking. Distribution tacticsAs with lots of malware, Qbot is distributed in various ways. Predominantly we’ve observed it being dropped by Emotet infections. However, in June 2020 we have seen dedicated malspam campaigns for Qbot. In these campaigns, the malicious payload has been in the form of a hacked server URL. If this URL is clicked by a victim it provides a zipped file containing an obfuscated VBScript that, if run, silently downloads and installs Qbot on the victim's machine. From the beginning of June Spamhaus tracked and listed domain names that were hosting Qbot, on the Spamhaus Domain Blocklist (DBL). The malspam operation, and subsequently our tracking, ceased on June 23rd. Qbot insights on hacked website operationsYou’d be right in thinking that if you follow an URL like this: Not only does this approach allow for the creation of endless unique URLs to the malware, at the same time this obfuscation hides the real location of the malicious code on the hacked server, making mitigation by the website owners much harder. The victim who clicked on the link received in the malicious email has no clue that the file is not coming from the legit-looking URL they clicked, but instead it’s coming from somewhere else entirely. Why did those behind this malspam campaign use this trick? Sadly we don’t have a crystal ball, but we believe these factors would have contributed to the campaign’s design:
N.B. In the source code there were also instructions that set the timezone to Europe/Moscow for logging purposes. This could perhaps be an indication of the origin of the operation. Qbot malspamAcross the campaigns the Malware Team observed, the following were used to propagate infections:
It's probably worth noting that out of 480 ASNs identified during our research, the top 10 senders account for more than 66% of the total emails sent. As previously outlined, the particular method that Qbot used to distribute stage 1 droppers provided the bad actors with the ability to use a different link in each email. This is clearly illustrated in the following chart which shows that the number of individual domains (hacked websites, in this case) was consistently around 150-180 domains daily. Meanwhile, the number of unique URLs spammed was an exact match to the number of emails sent on the same day:
Abuse desk responsiveness to Qbot reportsEvery domain that we listed on the DBL, in relation to Qbot, was noted as ABUSED-MALWARE. This type of listing automatically generates an email to the abuse contact of the ISP and/or network that hosts the compromised web server. To review how quickly abuse desks were to neutralize these threats we tracked their response times. The following table shows the quickest and slowest abuse desk responses, and outlines the average time taken to take down the malware: Abuse contacts with the quickest response times:
Abuse contacts with the longest response times:
Mitigation and protectionThis Qbot malspam campaign is the perfect example of how the DBL can help protect your network and users from malware. While the Qbot campaign ran (June 4th - June 23rd), Spamhaus' data marked over 4.5 million queries about Qbot abused domains with a 'BAD' response, helping email administrators across the globe secure their email. All the compromised servers’ domains were listed in the DBL, so if you are using common open source products like SpamAssassin or Rspamd, you would have been automatically protected. Increased protection can be achieved by registering for a Data Query Service (DQS) account and using the dedicated Rspamd or SpamAssassin plugins. Even though we helped block millions of Qbot malspam messages, remember that a good defense is a multi-layered defense. We recommend that you also run appropriate security measures for your operating system and don't click links in suspicious emails to download files from the internet. |
![]() ![]() ![]() ![]() ![]() ![]() |
![]() Permanent link to this news article: Tracking Qbot http://www.spamhaus.org/news/article/799/tracking-qbot ![]() |
![]() Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record. |
|