Qbot

Malware updated 23 days ago (2024-09-25T14:00:56.572Z)
Download STIX
Preview STIX
Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The first known use of an ITG23 crypter with Qbot was identified by X-Force in late February 2022, and since then, attack chains featuring DLL hijacking have been steadily employed, primarily by state-sponsored actors such as Lazarus Group and Tropic Trooper, and occasionally by the cybercrime industry in conjunction with QBot infostealer and Dridex banking Trojan. Unit 42 observed the Black Basta ransomware group using QBot as an initial point of entry and to move laterally within compromised networks. This tactic is common among other ransomware operations, including Qbot and BlackBasta. In these attack chains, the infection begins with a QBot compromise, followed by the use of the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. Trojans including Emotet and Qbot have spread via VBS and are known to install malware such as Trickbot and Qbot, which steal users’ bank data and carry out ransomware attacks. In August, Qbot was targeted by an international law enforcement operation named Operation Duck Hunt, which resulted in the dismantling of the botnet. U.S. authorities reported that it "ceased to operate" as a result of this antimalware campaign. Despite this, TA577, an initial access broker previously using QBot extensively, was identified by Proofpoint using Latrodectus in three separate intrusion campaigns in November 2023. The report also highlighted the prevalence of malware families such as FakeUpdates, Androxgh0st, and Qbot.
Description last updated: 2024-09-25T13:16:49.044Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QakBot is a possible alias for Qbot. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin
15
Pinkslipbot is a possible alias for Qbot. Pinkslipbot, also known as Qakbot, QBot or QuackBot, is a modular information-stealing malware that has been active since 2008. Initially emerging in 2007 as a banking trojan, it targeted financial institutions to steal sensitive data. Over the years, however, its functionality evolved and diversifi
11
Emotet is a possible alias for Qbot. Emotet is a particularly dangerous and insidious type of malware that has reemerged as a significant threat. This malicious software, which infects systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or even hold data for ransom. Emotet-infe
8
REvil is a possible alias for Qbot. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attac
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Trojan
Windows
Exploit
Phishing
Loader
Cobalt Strike
Payload
Remcos
Exploits
Botnet
Spam
Vulnerability
Infostealer
Downloader
Clop
exploited
Kaspersky
Antivirus
Backdoor
Implant
Azure
Malware Loader
Cybercrime
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with Qbot. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
6
The IcedID Malware is associated with Qbot. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) isUnspecified
4
The malware Qakbot (Qbot is associated with Qbot. Unspecified
4
The Latrodectus Malware is associated with Qbot. Latrodectus, a new type of malware discovered in late 2023, is being used by Initial Access Brokers (IABs) in email threat campaigns. Initially mistaken for a variant of the well-known IcedID malware due to similar characteristics, researchers at Proofpoint and Team Cymru S2 Threat Research Team havUnspecified
4
The Anubis Malware is associated with Qbot. Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fiUnspecified
3
The Conti Malware is associated with Qbot. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
3
The Egregor Malware is associated with Qbot. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
3
The Formbook Malware is associated with Qbot. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
3
The Pikabot Malware is associated with Qbot. PikaBot is a malicious software (malware) known for providing initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft. It's part of an array of malware families such as IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoader, among others, which have beenUnspecified
3
The MegaCortex Malware is associated with Qbot. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
2
The ProLock Malware is associated with Qbot. ProLock is a type of malware, specifically ransomware, that is designed to infiltrate computer systems, often unbeknownst to the user. It typically enters systems through suspicious downloads, emails, or websites. Once inside, ProLock can steal personal information, disrupt operations, and hold dataUnspecified
2
The Raspberry Robin Malware is associated with Qbot. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obsUnspecified
2
The Brute Ratel Malware is associated with Qbot. Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can sUnspecified
2
The Doppelpaymer Malware is associated with Qbot. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in miUnspecified
2
The Fakeupdates Malware is associated with Qbot. FakeUpdates, a malicious software (malware), has become increasingly prevalent in recent years. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can disrupt operations, steal personal information, or hold data hostage for ransom. In 2022, aUnspecified
2
The Darkgate Malware is associated with Qbot. DarkGate is a multifunctional malware known for its capabilities in information and credential stealing, cryptocurrency theft, and ransomware delivery. A recent campaign has seen it exploit a zero-day vulnerability in Microsoft Windows, allowing it to infiltrate systems undetected. DarkGate can be dUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA577 Threat Actor is associated with Qbot. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicallUnspecified
5
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2022-41073 is associated with Qbot. Unspecified
2
The Follina Vulnerability is associated with Qbot. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,Unspecified
2
Source Document References
Information about the Qbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
23 days ago
Checkpoint
4 months ago
RIA - Information System Authority
4 months ago
Pulsedive
4 months ago
BankInfoSecurity
5 months ago
Securityaffairs
5 months ago
BankInfoSecurity
5 months ago
BankInfoSecurity
5 months ago
Krebs on Security
5 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
6 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
Malwarebytes
8 months ago
BankInfoSecurity
8 months ago