Ddos 
QBot, also known as Qakbot or Pinkslipbot, has made a significant comeback, with researchers uncovering a new strain of its malware dubbed BackConnect. The analysis, conducted by cybersecurity experts Joshua Platt, Jason Reaves, and Jonathan McCay, highlights how QBot’s operators have adapted following a significant law enforcement takedown earlier this year.
First identified in 2007, QBot is a modular information stealer historically associated with banking trojans and as a loader leveraging Command and Control (C2) servers for payload execution. Despite a coordinated effort to disrupt its operations on May 30, 2024, QBot has resurfaced with enhanced capabilities.
As the researchers noted, “While the actions taken did disrupt the activity, new signs are showing off a re-emergence of the operators.” This resurgence includes the introduction of a new BackConnect module, which is suspected to facilitate ransomware attacks and other malicious activities.
The BackConnect module introduces sophisticated techniques for persistence and system compromise. It hooks into low-level system functions like createprocess and exitprocess, initializing a loop to check registry keys for malicious activity. As the researchers described: “Inside the main working function, the module will look for running copies of itself and begins a sleep loop that will check for a hardcoded registry key of ‘Software\\TitanPlus’”
Once active, the module sends detailed information about the infected system back to its operators, laying the groundwork for further exploitation. This functionality is concerning, as it aligns with previous QBot activity tied to ransomware operations like Black Basta.
The BackConnect module relies on DLL side-loading, an increasingly popular technique among threat actors. Specifically, it utilizes files like winhttp.dll and decrypts configuration data stored in .dat files with RC4 encryption. The analysis highlights:
“Decrypting it ourselves shows it is a PE file,” pointing to QBot’s modularity and ability to adapt to different attack scenarios.
This adaptability is evident in its file structures and deployment strategy. For instance, the .dat file decrypted during the analysis revealed embedded malware ready for execution.
The analysis revealed overlaps between QBot and the notorious Black Basta ransomware operation. These connections suggest that QBot’s BackConnect module could play a pivotal role in facilitating ransomware attacks. The researchers warned: “It is highly likely this new side loading backConnect malware has been or is going to be utilized to further ransomware attacks.”
To aid in detection, the team has released YARA rules, enabling organizations to better identify QBot-related activity and bolster their defenses.
Related Posts:
- Notorious Threat Actor TA577 Evolves: Stealing Your Credentials, One Click at a Time
- Defend Your Cloud: 8220 Gang Targets Linux & Windows
- Akira Goes Stealthy: Ransomware Group Prioritizes Data Theft for Extortion
- UAC-0050 Phishing Steals Data from Ukrainian & Polish Agencies
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
