Qbot is Back.Connect

Jan. 22, 2025, 9:46 a.m.

Description

Qbot, an information stealer active since 2007, has re-emerged after a law enforcement disruption in May 2024. New research reveals connections between Qbot, Zloader, and BlackBasta ransomware. A new backConnect malware, likely developed by Qbot operators, uses DLL side-loading techniques and RC4 encryption. The malware checks for running copies of itself, uses registry keys for configuration, and communicates system information to its command and control server. Analysis of related files suggests potential use in future ransomware attacks. The report provides IOCs and a YARA rule for detection.

External References

https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
https://otx.alienvault.com/pulse/6790b64e2defc76e41cb3983
Tags
qakbot
qbot
quackbot
2025-01-22

Date

  • Created: Jan. 22, 2025, 9:11 a.m.
  • Published: Jan. 22, 2025, 9:11 a.m.
  • Modified: Jan. 22, 2025, 9:46 a.m.

Attack Patterns

  • BlackBasta
  • QuackBot
  • Pinkslipbot
  • QakBot - S0650
  • Zloader
  • QBot
  • Qbot
  • T1573.002
  • T1573.001
  • T1547.001
  • T1012
  • T1071.001
  • T1082
  • T1055
  • T1140
  • T1027
  • T1112