Qbot

Malware updated 4 days ago (2024-11-29T13:59:26.024Z)
Download STIX
Preview STIX
Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 crypter with Qbot was identified by X-Force in late February 2022. Since then, Qbot has been used as an initial point of entry and lateral movement tool within compromised networks, most notably by the Black Basta ransomware group. This tactic is commonly employed by other ransomware operations, including Qbot and BlackBasta. The malware's dissemination has been primarily through botnets, which have proven more effective than social engineering tactics. Notably, Qbot was one of the primary sources of ransomware delivery for the Russian-speaking domain until it was taken down by law enforcement action. Despite this setback, Qbot continues to be prevalent alongside other malware families such as FakeUpdates and Androxgh0st. Attack chains featuring DLL hijacking, often associated with state-sponsored actors like Lazarus Group and Tropic Trooper, have also incorporated Qbot. In addition to its role in ransomware attacks, Qbot has been instrumental in other forms of cybercrime. For instance, Emotet has used Qbot to install malware that steals users' bank data. Moreover, TA577, an initial access broker, used Qbot extensively in three separate intrusion campaigns in November 2023. The typical attack chain begins with a Qbot infection, after which the operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the ransomware. Despite an international law enforcement operation in August aimed at dismantling the Qbot botnet, it remains a significant threat in the cybersecurity landscape.
Description last updated: 2024-11-28T11:51:37.139Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QakBot is a possible alias for Qbot. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt ope
15
Pinkslipbot is a possible alias for Qbot. Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
11
Emotet is a possible alias for Qbot. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,
8
REvil is a possible alias for Qbot. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Trojan
Windows
Exploit
Phishing
Loader
Cobalt Strike
Payload
Remcos
Infostealer
Exploits
Botnet
Spam
Vulnerability
Downloader
exploited
Kaspersky
Antivirus
Backdoor
Implant
Azure
Malware Loader
Cybercrime
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with Qbot. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
6
The Conti Malware is associated with Qbot. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
4
The malware Qakbot (Qbot is associated with Qbot. Unspecified
4
The Latrodectus Malware is associated with Qbot. Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files Unspecified
4
The IcedID Malware is associated with Qbot. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
4
The Egregor Malware is associated with Qbot. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
3
The Formbook Malware is associated with Qbot. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
3
The Pikabot Malware is associated with Qbot. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further maliciUnspecified
3
The Anubis Malware is associated with Qbot. Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fiUnspecified
3
The Clop Malware is associated with Qbot. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
The MegaCortex Malware is associated with Qbot. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
2
The ProLock Malware is associated with Qbot. ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold dataUnspecified
2
The Raspberry Robin Malware is associated with Qbot. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
2
The Brute Ratel Malware is associated with Qbot. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
2
The Doppelpaymer Malware is associated with Qbot. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in miUnspecified
2
The Fakeupdates Malware is associated with Qbot. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, aUnspecified
2
The Darkgate Malware is associated with Qbot. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA577 Threat Actor is associated with Qbot. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicallUnspecified
5
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2022-41073 is associated with Qbot. Unspecified
2
The Follina Vulnerability is associated with Qbot. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
2
Source Document References
Information about the Qbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 days ago
Checkpoint
2 months ago
Checkpoint
6 months ago
RIA - Information System Authority
6 months ago
Pulsedive
6 months ago
BankInfoSecurity
6 months ago
Securityaffairs
6 months ago
BankInfoSecurity
7 months ago
BankInfoSecurity
7 months ago
Krebs on Security
7 months ago
Securityaffairs
7 months ago
InfoSecurity-magazine
8 months ago
BankInfoSecurity
8 months ago
DARKReading
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Malwarebytes
9 months ago