The QBot trojan (also known as Qakbot or Pinkslipbot) once again draws the attention of cybersecurity experts. This malicious tool, active since 2007, remains one of the most resilient examples of banking trojans, having evolved into a sophisticated platform for conducting cyberattacks.
In August 2024, law enforcement agencies conducted a large-scale operation to disrupt the activities of QBot operators. Subsequently, ZScaler identified connections between QBot’s functionality and other threats, including the malware Zloader, which leverages DNS tunneling for covert data exfiltration.
During their analysis of malicious files, researchers uncovered intriguing details. One of the discovered samples, containing the archive “pack.dat,” included several suspicious components, such as executable (exe) and dynamic-link library (dll) files. These files work in tandem to decrypt an embedded PE file, which initiates further malicious activities. The use of the RC4 encryption algorithm highlights the sophisticated nature of the cybercriminals behind the malware.
The research confirmed that QBot has undergone significant evolution, integrating a modular architecture that enables it to function as a platform for deploying additional malicious modules. For instance, the newly developed BackConnect module was designed to monitor processes and transmit information about infected systems through encrypted channels. Analysts found that this module utilizes low-level functions to manipulate processes, interact with the Windows registry, and bypass standard security mechanisms while analyzing system behavior.
Further monitoring revealed a connection between QBot activity and a campaign distributing the BlackBasta ransomware. Modern tactics, such as sideloading, allow attackers to enhance their operations and evade traditional defense measures with remarkable efficiency. Researchers warn that these methods could facilitate future ransomware-driven attacks.
To combat this threat, ZScaler has published YARA rules to help identify new versions of the malware. However, the effectiveness of these measures depends on how swiftly they are implemented into defense systems.
