Security researchers have discovered a new strain of the Qbot malware that is hard to find and difficult to remove.
The malware has already infected over 50,000 PCs globally, according to research by BAE Systems, which discovered it at the start of the year after an attack on a public sector that left 500 computers infected.
Researchers managed to analyse the new strain and discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept.
These included a new ‘shape-changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.
The malware can also detect if it is being looked at in a sandbox environment – a tool used to spot malware before it reaches users’ inboxes.
The malware has been found to target public organisations such as police departments, hospitals and universities. BAE Systems said that because of a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.
“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem,“ said Adrian Nish, head of cyber threat intelligence at BAE Systems.
“This case illustrates that organisations must remain alert to, and defend against new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly.”
Jens Monrad, systems engineer at FireEye, told IT Pro that malware like Qbot, also known as Qakbot, is categorised as a worm.
“The reason for this is the malware has the capability to spread and infect on its own at a very fast pace. This means if an organisation has failed to detect the initial compromise, the malware will continue to spread via network shares and removable drives, providing the operator or cybercriminal with a very large source of compromised endpoints,” he said.
“The cybercriminal can then choose a variety of options, including theft of potentially sensitive data, as well as facilitating a backdoor into the compromised organisation, giving the attacker an opportunity to steal credentials, deliver more sophisticated malware or in general cause disruption within the infrastructure.”