This new strain of Qbot malware is tougher than ever to find and destroy

Shape-shifting malware is targeting public sector, warns BAE Systems

Security researchers have discovered a new strain of the Qbot malware that is hard to find and difficult to remove.

The malware has already infected over 50,000 PCs globally, according to research by BAE Systems, which discovered it at the start of the year after an attack on a public sector that left 500 computers infected.

Advertisement - Article continues below

Researchers managed to analyse the new strain and discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.

These included a new shape-changing' or polymorphic code, which meant that each time the malware's code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.

The malware can also detect if it is being looked at in a sandbox environment - a tool used to spot malware before it reaches users' inboxes.

The malware has been found to target public organisations such as police departments, hospitals and universities. BAE Systems said that because of a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.

Advertisement
Advertisement - Article continues below

"Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem," said Adrian Nish, head of cyber threat intelligence at BAE Systems.

Advertisement - Article continues below

"This case illustrates that organisations must remain alert to, and defend against new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly."

Jens Monrad, systems engineer at FireEye, told IT Pro that malware like Qbot, also known as Qakbot, is categorised as a worm.

"The reason for this is the malware has the capability to spread and infect on its own at a very fast pace. This means if an organisation has failed to detect the initial compromise, the malware will continue to spread via network shares and removable drives, providing the operator or cybercriminal with a very large source of compromised endpoints," he said.

"The cybercriminal can then choose a variety of options, including theft of potentially sensitive data, as well as facilitating a backdoor into the compromised organisation, giving the attacker an opportunity to steal credentials, deliver more sophisticated malware or in general cause disruption within the infrastructure."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
Over two dozen Android apps found stealing user data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020