This new strain of Qbot malware is tougher than ever to find and destroy

Shape-shifting malware is targeting public sector, warns BAE Systems

Security researchers have discovered a new strain of the Qbot malware that is hard to find and difficult to remove.

The malware has already infected over 50,000 PCs globally, according to research by BAE Systems, which discovered it at the start of the year after an attack on a public sector that left 500 computers infected.

Researchers managed to analyse the new strain and discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.

These included a new shape-changing' or polymorphic code, which meant that each time the malware's code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

Advertisement - Article continues below
Advertisement - Article continues below

The malware can also detect if it is being looked at in a sandbox environment - a tool used to spot malware before it reaches users' inboxes.

The malware has been found to target public organisations such as police departments, hospitals and universities. BAE Systems said that because of a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

"Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem," said Adrian Nish, head of cyber threat intelligence at BAE Systems.

"This case illustrates that organisations must remain alert to, and defend against new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly."

Jens Monrad, systems engineer at FireEye, told IT Pro that malware like Qbot, also known as Qakbot, is categorised as a worm.

"The reason for this is the malware has the capability to spread and infect on its own at a very fast pace. This means if an organisation has failed to detect the initial compromise, the malware will continue to spread via network shares and removable drives, providing the operator or cybercriminal with a very large source of compromised endpoints," he said.

Advertisement - Article continues below

"The cybercriminal can then choose a variety of options, including theft of potentially sensitive data, as well as facilitating a backdoor into the compromised organisation, giving the attacker an opportunity to steal credentials, deliver more sophisticated malware or in general cause disruption within the infrastructure."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020