« Back to Blog

CylancePROTECT® vs. Qakbot

By The Cylance Team

News recently spread within the cybersecurity community about a curious new variant of Qakbot (aka Qbot). Qbot is a multifaceted family of threats, which first emerged in 2009. Most strains observed in the wild are highly robust and adaptable, and contain various trojan-esque components as well as the capability to evolve, mutate and self-propagate. Early variants were utilized primarily to steal data and establish a persistent foothold within the target environment. Several further Qbot campaigns between 2009 and 2012 were set up to steal online banking credentials, making it an attractive choice for cybercriminals.

While some of the most recent variants contain new features such as improved polymorphism, updated inline hooks, bandwidth testing and more, much of the core functionality remains the same. The use of server-side polymorphism and multiple anti-VM (Virtual Machine) monitors all serve to evade detection by traditional antivirus (AV) technology and similar ‘established’ controls. 

These tricks also add complexity to standard analysis and automation practices in place within the security industry. With encrypted, in-memory strings as well as the ability to alter behavior when running in VMware, VirtualBox, QEMU and others, a few more steps are required for analysis. These tricks are not exclusive to Qbot, and most seasoned security researchers are well aware of these methods and can react accordingly during their analysis. Nevertheless, it adds extra pieces to the puzzle. 

That much being said, regardless of any new functionality, the basic observables are still present and predictable for Qbot. In recent highly publicized campaigns targeting multiple verticals, including healthcare, government, commercial and academic, the spreading and initial infection duties were handled via the Rig Exploit Kit. The Rig Kit has been around for many years now and was especially popular between 2012 and 2015, utilizing exploits in Internet Explorer and Flash Player.

The Test

Regardless of the delivery methods, polymorphic capabilities, self-protection, etc., our endpoints must bear the burden of prevention. If down the chain, the threat executes and you are compromised, this is the end of the story. This is where CylancePROTECT’s approach truly excels and shines. There are still all too many ‘established’ AV products that do not detect the latest (and prior) artifacts associated with Qbot, which should be a big red flag to anyone still running one of these traditional AV products. 

CylancePROTECT’s machine learning models can prevent execution and subsequent environmental compromise of both past and present variants of Qbot, regardless of what shape the binaries take, or how they are ultimately delivered onto the system.

We put Cylance’s technology to task with the following samples of Qbot:

(SHA256)
020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480
1154cb9fb9cf44a54aca9d3d689759ad6e89614a60c643ee3a5f496b52715b14
1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088
19bc15f4ff791d0ea11e9820781fe3375d09f79f7e8db504cf367bc9abd7e0dc
1b2ad766759b5d1418ec0f00457d1420386773a4b9e1d89ecfac12ba9bcc333e
428f253c68a3458e3ed46106303ec1330439da46eccac895b5973f829e39c5a7
4f9c55162e7daa23aa79013bcd89876fd3b20148e1599397bfae18b974b73202
5553e5808ebe40e4c5fc54bdd3fba7f2a6c7cbead7f3008e9e0d0a3a45055164
6fbb43ed7040856c48256fb3336bb347ca030c47e20e86885632d0ab7e88e4d5
9417c5f596e7b05596e45b0935c157cb16b57c4f20ee58058f4b1ab581d718f7
9490f5d06d46231ffd57d8244f1b63267b6da532ead148915782fa9662833b1a
9ea5655df078af9fd5f0a8288d7ca563ff9325ec71deceb6a2433693d86cd5e2
bd4efb0d92ebb563c9128f70f282dfaa33b217c15c4a9b37b590c535e25186d9
c8b311ac38d74ad410f6795d055b08f3f91f78a6b3fc3c0a2f69484d19ba6699
d599e92d3a9e1e22e5b7243e6b54b39b241f3b2fab5be879924e605c1291a84f
d8e26423aa8375190089f65f7013ea8d21217ffb25bcbf49fdd988ce8267575a
dded086d7cff8546c395df9c794ef1efa342428fd6d011e1f59641d3ba0f0aeb
eecdfa2fbfcd1b34c9461224f8cd46ed0b874409805f87a547a481a9d4909ec1
fb5fcf8a9b688fdbb8a982d1bf2adf2fb1d8cdd5b470bd0b22cbe8a7b09a132d

The Qbot samples were quarantined by CylancePROTECT immediately, preventing execution:

1_Protect_det_1.pngFigure 1: CylancePROTECT vs. Qbot. No contest.

2_Protect_Console_1.pngFigure 2: CylancePROTECT console view, showing the detection and quarantine of Qbot.

In summary, even the latest updates from the Qbot threat family are no match for CylancePROTECT.

Our research team has posted a video showing our preventative controls and mitigation in action.  See us in action and believe the math!!!

 

Indicators of Compromise

The following are a subset of Qbot-related IOCs related to the samples analyzed for this specific post:

SHA256 Hashes:

020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480
1154cb9fb9cf44a54aca9d3d689759ad6e89614a60c643ee3a5f496b52715b14
1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088
19bc15f4ff791d0ea11e9820781fe3375d09f79f7e8db504cf367bc9abd7e0dc
1b2ad766759b5d1418ec0f00457d1420386773a4b9e1d89ecfac12ba9bcc333e
428f253c68a3458e3ed46106303ec1330439da46eccac895b5973f829e39c5a7
4f9c55162e7daa23aa79013bcd89876fd3b20148e1599397bfae18b974b73202
5553e5808ebe40e4c5fc54bdd3fba7f2a6c7cbead7f3008e9e0d0a3a45055164
6fbb43ed7040856c48256fb3336bb347ca030c47e20e86885632d0ab7e88e4d5
9417c5f596e7b05596e45b0935c157cb16b57c4f20ee58058f4b1ab581d718f7
9490f5d06d46231ffd57d8244f1b63267b6da532ead148915782fa9662833b1a
9ea5655df078af9fd5f0a8288d7ca563ff9325ec71deceb6a2433693d86cd5e2
bd4efb0d92ebb563c9128f70f282dfaa33b217c15c4a9b37b590c535e25186d9
c8b311ac38d74ad410f6795d055b08f3f91f78a6b3fc3c0a2f69484d19ba6699
d599e92d3a9e1e22e5b7243e6b54b39b241f3b2fab5be879924e605c1291a84f
d8e26423aa8375190089f65f7013ea8d21217ffb25bcbf49fdd988ce8267575a
dded086d7cff8546c395df9c794ef1efa342428fd6d011e1f59641d3ba0f0aeb
eecdfa2fbfcd1b34c9461224f8cd46ed0b874409805f87a547a481a9d4909ec1
fb5fcf8a9b688fdbb8a982d1bf2adf2fb1d8cdd5b470bd0b22cbe8a7b09a132d 

Digital Signatures:

                Verified: Signed
                Signing date:          3:33 AM 3/19/2015
                Publisher:              SWIFT Weather
                Company:               Irfan Skiljan
                Description:           IrfanView
                Product: IrfanView
                Prod version:         4.37
                File version:           4.37
                MachineType:        32-bit
                Binary version:      4.3.7.0
                Original name:      i_view32.exe
                Internal name:      IrfanView
                Copyright:              Copyright © 2013 by Irfan Skiljan, Austria
                Comments:            IrfanView for Win9x, WinNT, Win2000, WinXP, Win2003, Vista, Win7, Win8
                Entropy: 7.051
                MD5:         F878C04065C75592D9731C8F166A1236
                SHA1:       B775AEB6FDFB7D749A240EA389C2E37E0C6B85DA
                PESHA1: 208B5E2BEAE8FE0B58BC31B6DE2CEEAE7752F45F
                PE256:    CDB3E1A4E430F82D4FB952A415418CE9276765088DB3036CFCBFF71C355C6727
                SHA256: 9490F5D06D46231FFD57D8244F1B63267B6DA532EAD148915782FA9662833B1A
                IMP:        3ED9D3768BDAF8028C489AFB67C5E0AC

                Verified: Signed
                Signing date:          1:53 PM 3/30/2015
                Publisher:              SWIFT Weather
                Company:               Sun Microsystems, Inc.
                Description:           Java(TM) Platform SE binary
                Product: Java(TM) Platform SE 6 U31
                Prod version:         6.0.310.5
                File version:           6.0.310.5
                MachineType:        32-bit
                Binary version:      6.0.310.5
                Original name:      tnameserv.exe
                Internal name:      tnameserv
                Copyright:              Copyright © 2012
                Comments:             n/a
                Entropy: 6.617
                MD5:       504248EED4316B3A92B6F4AA25AF4097
                SHA1:      4D656DF558363EA61DBF124BB7B9CE919FD17959
                PESHA1: 4A3E85B0EB3BC8A67D56505BD4FADA092368062E
                PE256:    AA7F01173465F9FBD4B929338B9CB546955C4D62681DF9E85164CCDA844DC292
                SHA256: 9EA5655DF078AF9FD5F0A8288D7CA563FF9325EC71DECEB6A2433693D86CD5E2
                IMP:         EE5B0AFB1D7C7EA8A045C60F0D3DB1DE

                Verified: The digital signature of the object did not verify.
                Link date:               4:52 AM 3/13/2015
                Publisher:              n/a
                Company:               Irfan Skiljan
                Description:           IrfanView
                Product: IrfanView
                Prod version:         4.37
                File version:           4.37
                MachineType:        32-bit
                Binary version:      4.3.7.0
                Original name:      i_view32.exe
                Internal name:      IrfanView
                Copyright:              Copyright © 2013 by Irfan Skiljan, Austria
                Comments:             IrfanView for Win9x, WinNT, Win2000, WinXP, Win2003, Vista, Win7, Win8
                Entropy: 6.898
                MD5:       956832EAA429FFBCF5D72927813BB800
                SHA1:     180A9C5390B2C5A0CFB02CBE25ACD4A77FC69698
                PESHA1: A93C673F264458E3BDD2BF25FAD273E9D2C3CF7C
                PE256:   C1759628B77B64EA9EA4039039E8325D97E319AB1E70D6042968836B1B5D9DDC
                SHA256: D8E26423AA8375190089F65F7013EA8D21217FFB25BCBF49FDD988CE8267575A
                IMP:        34B9339402735B3015FF2D2D049D729E

                Verified: Signed
                Signing date:          4:48 AM 3/25/2015
                Publisher:              SWIFT Weather
                Company:               CHENGDU WEISHU TECHNOLOGY CO., LTD.
                Description:           Picture To Video Converter Application
                Product: Picture To Video Converter Application
                Prod version:         1, 1, 0, 0
                File version:           1, 1, 0, 0
                MachineType:        32-bit
                Binary version:      1.1.0.0
                Original name:      pic2video.exe
                Internal name:      pic2video
                Copyright:              Copyright (C) 2007-2008 CHENGDU WEISHU TECHNOLOGY CO., LTD.
                Comments:             n/a
                Entropy: 6.404
                MD5:       71156A2A6076DB554436892B9E540E06
                SHA1:     E4EC005FF5A45C79E5E2FA7FC1D3B8A4B97C207F
                PESHA1: CF7770B090EED414F68331EECBF16866DE9530C9
                PE256:   579E222B183615127D83E712F6481A9FEE639193B1B12748CD4B42239921BE53
                SHA256: FB5FCF8A9B688FDBB8A982D1BF2ADF2FB1D8CDD5B470BD0B22CBE8A7B09A132D
                IMP:        9B0BB92D9B43400C0B7120C62F9156EB

Domains (C2 and call-out/function testing):

apxlrfuxlfhbcyfdxoce.org    
tags.bkrtx.com    
undrlryedwfkes.net    
ksviuiqgpu.org    
agjnydlrkluyxdueswm.org    
huuebybyzitnjfih.org    
kvjxyvzkygqnmvixjclp.info    
evnffssblnzifztbj.org    
sanjose.speedtest.comcast.net    
stc-sjos-01.sys.comcast.net
boston.speedtest.comcast.net
hkeqznqsyetang.org    
jacksonville.speedtest.comcast.net
fobeabcal.info    
opuoybextdpdjviihpfhejg.org    
houston.speedtest.comcast.net
wjqagrtill.org    
vfcgvxdbnrqfqchitrcgj.com
ycuhdilyntwbawnjaujfinak.org    
gkgiqjutaqvlmpminqeysycli.biz    
bqcgcxcxbtb.info    
lvjlezjytphkniwspzbllowsa.com    
lkbyrknwtpuhduwqntfzd.org    
qxlnrsxrsaodzyvdmd.com    
dracwwfuopmziqvtnhuy.info    
zezdehhemuzez.biz    
yprazdskffxwtiuesq.biz    
cdycvcrapugttcarliymg.org    
mwncgezmtm.net    
kfrqgwndfrnkccm.biz    
dcwpvouketmuq.biz    
cklpdidrvjoujyqxcclp.info    
wzkvvnwvd.org    
pdafxdsf.info    
ghnorrrhhw.org    
jnyqomkxtczlihdpzrocysquq.org    
tcbqxkgaegznjdqlxllaj.com    
dshuugdivpuacwiwlhzlkj.com    
auqmgvweuatstbl.org    
dwxkztbpntbyzyjae.org    
xibitqqqpjdcgydy.com    
udfloskikxswgmn.info    
eyaugvfhugwwocg.org    
rxosyypzgvwl.org    
oxfklxxmyqpqxk.org    
vmzdmuyopdjpdaiitelkgrgrn.org    
xkvlvmjqihtokanbamcfwzk.org    
wfrimetmb.net    
uccebdzmkhe.net
jwxmeecbzpcm.org    
rtdmxoqrvnpclzjxepci.biz    
cdqykfgxpkjwvezxedeq.com    
mddwapiwifsakevwgbkxg.net    
ugatzjzpiqsqp.net    
aguilfgq.com    
nayusvehpyyaremifaw.net    
mmqxjufvmofwaxgqboywtcc.org    
qtnxelisxhob.org    
mmjpdcipuacjczduhmzpvzi.net    
ivntfgciayjqaydaestxjhusj.net   
jastizqwovlyt.biz    
tiryjusnfsdkwnv.com    
rjcxwkcavrtwzrhjwvyxxqcvf.info    
sirifgbgoxgk.org    
kgtzmcocivzksolkfpipyjkcf.org    
zjzxmgdxbbfxedolrryjq.biz    
vtanqhti.com    
kilnutoxcnbquwvhmblml.biz    
naslaboauocjtkfdjuxrnemzh.info    
bwwmtgrlwuyw.org    
wcramuopsgfqhm.net    
vfqabgyjufjk.info    
ydaoxcmkmvbwjakpwczgqm.com
hmrfvmvrbmcvfqqkkwnekry.biz    
ynepxhpgaddmgymnumoz.info    
wpzuhabecasatijogwkr.net    
txumdptwlqjya.net    
fqsohcypjgtdjdszxymqij.org    
ictocinuwasurvgnnyzor.biz    
ertrofdoj.biz    
gisktkcafrdkoeuowxw.org    
rggerjwijhrmcgdn.org    
cnrztabszkohzgcmlglx.com    
axggducnhnzmcdmlqyubxrgf.com    
fejkprosurgfugunv.info    
mgygmgyw.info    
gagyxqrc.info    
jktzussyestjwx.net     
dpqretyqqyfwwlevnafxif.info    
yazhfhvkkehijilopgjea.com    
rcmtxqrgutuaevj.net    
odxsfaod.org    
nrfndfqsidtfhbbgbwy.net    
dvcuipjffmoxbbmdt.org    
yoqtgpvfapv.biz    
aeklgvuyvhwqrqvznlwclw.org    
cdlqumiioqrvwlppunxovwrms.info    
xldknontemtsxtvr.org    
opoqicvdmwzedznvvtlzwu.net    
zhphqifemoqyjnoiblh.org    
nqrardktkh.net    
ycfeepriklnncoqwrjed.biz    
ilrqjskkcdofovm.net    
anfoprwpaqawehwqimeqhjb.biz    
cpjjubooafqic.biz    
lcjrivfkwbfgsdcwi.net    
jkjkbooycetcytzxva.org    
ebknxkerfy.info    
knryhuykxcagw.org    
jmhsofzfa.biz    
fyobetecrbcuyttbl.biz    
bfegsuakfhegoxyadzcqf.info    
ssufabqiprreoc.net    
puphltsjvleajr.com    
yjmmokwuavhgsbkogxwpissi.com    
ugglgyorhlxvpgkluenua.net    
zfxaetiwiqyanyohu.info    
bfrvxptqgpnvg.com    
cvzlmbun.org    
afpnglbtnzrzupr.info    
ytjmdcovsknlvdyvrjunop.biz    
jxvfixnlumsr.org    
thefzxkgfkkhlewlp.org    
wsmymwdycdpkfsplvogt.net    
jltjcvlfovgypkpfawjvt.com    
tvqnwngagthdavbbw.com    
opdegdorbxafizpoqxhlfr.biz    
mkppkhjal.net    
trewtqwpsiaebigdpodvnu.org    
siqpwhwxrxru.org    
azlxwbjnjiraqjhzpbkrifvl.info    
njabuxdulgebcwtwzjylcn.net    
aahuojhrcdaisdipvilbh.net    
oydasssexhazrocfgtovlv.net    
ednfjetgokmykx.net    
pmqlhxiicbgwxz.org    
tveysumigzbunqcejssmutjv.org    
wpkoliguqggnuevvnzlrdl.org    
vsazwrcssctsbzhvqcejnj.com    
awauaqjgvlqotu.info    
ralkrgzmu.info    
mlkksnctehsioajwtgoylzrym.com    
jgohpoaoykjl.com    
slqhobocapvhdnm.info    
dmppdbesnshrfzenbvpwkqk.info    
whxmnlxppnksnrvnkav.net    
ncpsgqwnwwcvcxmxiglaq.org    
ipdliojsvqy.com    
rnitriesathtm.biz    
xacosayenxkmsiawbhl.org    
exvkspiurcevthvjrfmdi.net    
itnaosbgdstmfl.org    
qcmcruymwfinbmc.com    
haymvpcv.biz    
flvgveznfiixazfkn.net    
blgrlztjixgnjmdvcmhrbc.net    
ikuubcteifoftsgpqzjyx.com    
frfwzsvenmtwcmfxm.com    
fibjbtyrlfkeqj.com    
vylfytseutyzppemmcxzhzvk.biz    
hfbktedica.biz    
jksqcmdlnsozubtxotexszafj.org    
uhsfyxmrbijhstba.biz    
mddcyqapxbyjpsolxekihkub.org    
cdqkfytvxbtkltrnjdbx.org    
hqiuvvdajgspnifpuburyce.biz    
yjvyeftosmpyzmsedjwahdgrs.info    
rffzvfljvtsthkbdu.org    
xilqzczljwufhvqgnp.info    
idfvxaiedx.org    
pvakkcbj.info    
dhvkeuxmelktnxkiswnimug.net    
embmcwfmolxcjibdndwmm.com    
plzlpbperkax.biz    
sgfubqqqbjqkawvdecezjaxm.org    
evcfcicwqlnpojnwqum.org    
qffmjgsoamfzwj.org    
vucghraykaqrctaux.biz    
gqfqavopztpv.org    
fmfenmqowqgqltikso.com    
fwqyshvisaze.org    
ueqxwzcnjtsc.info    
wzamzowmzcmbbxuz.net    
skdprsroavxpupptm.com    
zmckgjqmjomfucuu.org    
seqwlfmo.info    
xrvqtfzipthlpcllimxh.com    
cymwgyfdfaebrsgoljnpdxzp.info    
zsanwuwkv.net    
ktzjhmxxwljttsiiestdox.net    
rcubslryklaaneeyajsevfgen.com    
cbvpcdhpnf.org    
nyeyvudsnsyqzod.org    
dbryotbxozqoiqanialgcjpid.info    
ncahpftsrgsrckkqhio.biz    
phbnbbctehcoxse.net    
paelkvmv.info    
xgebmgzpbjghxeruquaeqvcox.org    
bndpdakfbedyqgtsuunsmu.biz    
srbqbrgvxsavifpwl.com    
veajrmvsbkto.info    
szfqporhz.biz    
gpnvivsjedteq.info    
liwahrnohwurpdladmn.com    
piniwokpxa.org

Tags: