BAE Systems has published an article on QBot returning that is “harder to detect and intercept”..
According to a BAE report, the malware has already infected more than 54,000 computers across thousands of organizations. ESET detects this threat as Win32/Qbot and Win32/Kryptik.
Analysts noted:
BAE Systems’ analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept. These included a new ‘shape changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme (sic) to researchers looking for specific signatures.
IT Pro noted, the malware can also detect if is being looked at in a sandbox environment – a commonly used tool tool by security researchers to spot malware before it can cause damage to users.
An incident response team at BAE Systems discovered the newly enhanced threat in early 2016, when 500 computers belonging to an as-yet unnamed public sector organization were infected.
The BAE Systems blog entry notes that cybercriminals have specifically targeted public organizations including police departments, hospitals and universities.
Adrian Nish, head of Cyber Threat Intelligence at BAE Systems, explained: “Many public sector organizations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks.
“In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organization to the spreading problem.”
The BAE Systems report categorizes Qbot as a “network-aware worm with backdoor credentials, primarily used for harvesting user credentials”.
It’s also noted that Qbot could still continue to spread, and organizations are being recommended to update and search their defensive systems to identify attacks.