Malware is now so common that entire "families" of each kind are being created. This is the case for Qbot, a malware family that is used to steal data. But where did Qbot come from, how dangerous is it, and can you steer clear?

The Origins of Qbot

As is often the case with malware, Qbot (also known as Qakbot, Quakbot, or Pinkslipbot) was only discovered when found in the wild. In cybersecurity terms, "in the wild" refers to a scenario in which a form of malware spreads among targeted devices without the users' permission. It is thought that Qbot has been in operation since at least 2007, making it a considerably older form of malware than many popular strains out there today.

Many forms of malware from the 2000s are no longer in use, simply because they aren't effective enough to tackle modern technology. But Qbot stands out here. At the time of writing, Qbot has been in operation for at least 16 years, an impressive lifespan for a malware program.

Since 2007, Qbot has been repeatedly observed in use in the wild, though this also interrupted by periods of stagnancy. In any case, it's still a popular option among cybercriminals.

Qbot has evolved over the years, and has been used by numerous hackers for numerous reasons. Qbot began as a Trojan, a program that stays hidden within seemingly harmless apps. Trojans can be used for many malicious purposes, including data theft and remote access. Qbot, more specifically, goes after banking credentials. For this reason, it is considered a banking Trojan.

But is this still the case? How does Qbot operate today?

How Does Qbot Work?

red malware warning on laptop

The Qbot seen today comes in many different forms, but is most notably an infostealer Trojan. As the name suggests, infostealer Trojans are designed to steal valuable data, such as payment information, login credentials, and contact details. Mainly, this main type of Qbot malware is used to steal passwords.

Qbot variants have also been observed conducting keylogging, process hooking, and even attacking systems via backdoors.

Since its creation in the 2000s, Qbot has been modified to have backdoor capabilities, making it that much more of a threat. A backdoor is essentially an unofficial way to infiltrate a system or network. Hackers often use backdoors to carry out their attacks, as it gives them an easier way in. "Backdoor.Qbot" is the name given to this variant of Qbot.

Initially, Qbot was spread via Emotet malware, another form of Trojan. Nowadays, Qbot is typically spread through malicious email campaigns via attachments. Such campaigns involve sending large volumes of spam mail to hundreds, or even thousands of recipients, in the hope that some of the targeted users will interact.

Within malicious email attachments, Qbot has been commonly observed as a .zip file containing a macro-laden XLS dropper. If a recipient opens a malicious attachment, the malware can be deployed on their device, often without their knowledge.

Qbot can also be spread via exploit kits. These are tools that aid cybercriminals in malware deployment. Exploit kits can highlight security vulnerabilities within devices, and then abuse said vulnerabilities to gain unauthorized access.

But things don't stop with password stealing and backdoors. Qbot operators have also played a big role as Initial Access Brokers. These are cybercriminals that sell system access to other malicious actors. In the case of Qbot actors, access has been granted to some huge groups, including the REvil ransomware-as-a-service organization. In fact, various ransomware affiliates have been observed using Qbot as for initial system access, giving this malware yet another concerning purpose.

Qbot has popped up in many malicious campaigns, and is used to target a range of industries. Healthcare organizations, banking websites, government bodies, and manufacturing companies have all been targeted by Qbot. TrendMicro reported in 2020 that 28.1 percent of Qbot's targets lie within the healthcare realm.

Another eight industries, alongside numerous miscellaneous others, also fall under Qbot's target range, including:

  • Manufacturing.
  • Governments.
  • Insurance.
  • Education.
  • Technology.
  • Oil and gas.
  • Transportation.
  • Retail.

TrendMicro also stated in the same report that Thailand, China, and the US had the highest numbers of Qbot detection in 2020. Other common detection locations included Australia, Germany, and Japan, so Qbot is evidently a global threat.

Qbot has been around for so many years because its attack and evasion tactics have continuously evolved to keep up with modern cybersecurity measures. Qbot's diversity also makes it a huge danger to people around the world, as they can be targeted in so many ways using this program.

How to Avoid Qbot Malware

It is virtually impossible to avoid malware 100 percent of the time. Even the best antivirus program cannot protect you from attacks indefinitely. But having antivirus software installed on your device will play a crucial role in keeping you safe against malware. This should be considered the first step when it comes to cybersecurity. So, what's next?

Because Qbot is commonly spread through spam campaigns, it's important that you're aware of the indicators of malicious mail.

There are numerous red flags that can expose an email as malicious, starting with the contents. If a new address has sent you an email containing a link or attachment, it's wise to steer clear until you know for sure it can be trusted. There are various link-checking sites you can use to verify the legitimacy of a URL so that you know whether it's safe to click.

Email symbol with exclamation mark seen on green background

Attachments can be just as dangerous as links when it comes to malware infection, so you need to be cautious of them when receiving emails.

There are certain attachment file extensions that tend to be used to spread malware, including .pdf, .exe, .doc, .xls, and .scr. While these are not the only file extensions used for malware infection, they are among the most common types, so keep an eye out for them when you receive attached files in your emails.

If you're ever sent an email from a new sender that contains a sense of urgency, you should also be on your guard. Cybercriminals tend to use persuasive language in their communications to push victims into complying.

For example, you may receive an email stating that one of your social media accounts has been locked due to repeated login attempts. The email could receive a link that you need to click on to log into your account and unlock it, but, in reality, this is a malicious site designed to steal the data you input (in this case, your login credentials). So, if you receive particularly persuasive email, consider whether you're being manipulated into compliance, as this is a very real possibility.

Qbot Is a Major Form of Malware

Increasing the versatility of a malware program almost always makes it more of a threat, and as time has passed, Qbot's diversification has secured it as a dangerous force. This form of malware may continue to evolve over time, and there's really no knowing what capabilities it will adapt next.