This new strain of Qbot malware is tougher than ever to find and destroy

Shape-shifting malware is targeting public sector, warns BAE Systems

Cronrat strikes Linux

Security researchers have discovered a new strain of the Qbot malware that is hard to find and difficult to remove.

The malware has already infected over 50,000 PCs globally, according to research by BAE Systems, which discovered it at the start of the year after an attack on a public sector that left 500 computers infected.

Researchers managed to analyse the new strain and discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.

These included a new shape-changing' or polymorphic code, which meant that each time the malware's code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

The malware can also detect if it is being looked at in a sandbox environment - a tool used to spot malware before it reaches users' inboxes.

The malware has been found to target public organisations such as police departments, hospitals and universities. BAE Systems said that because of a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

"Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem," said Adrian Nish, head of cyber threat intelligence at BAE Systems.

"This case illustrates that organisations must remain alert to, and defend against new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly."

Jens Monrad, systems engineer at FireEye, told IT Pro that malware like Qbot, also known as Qakbot, is categorised as a worm.

"The reason for this is the malware has the capability to spread and infect on its own at a very fast pace. This means if an organisation has failed to detect the initial compromise, the malware will continue to spread via network shares and removable drives, providing the operator or cybercriminal with a very large source of compromised endpoints," he said.

"The cybercriminal can then choose a variety of options, including theft of potentially sensitive data, as well as facilitating a backdoor into the compromised organisation, giving the attacker an opportunity to steal credentials, deliver more sophisticated malware or in general cause disruption within the infrastructure."

Featured Resources

The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation

Free Download

VMware Cloud workload migration tools

Cloud migration types, phases, and strategies

Free download

Practices for maximising the business value of digital infrastructure Consumption-as- a-Service subscriptions

IDC PeerScape

Free Download

Container network security guide for dummies

Enforcing Kubernetes best practices

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022