Threat Awareness – Qbot Steals Sensitive Data Minutes after the Initial Infection

Qbot/Qakbot remains one of the most widespread malware variants. A new report from researchers at DFIR reveal that Qbot is used to steal sensitive data and execute other malign tasks in a very short time frame. Qbot, which WaterISAC reported on last year, is a highly modular malware used for many nefarious activities such as credential harvesting and dropping ransomware. Qbot usually spreads via phishing emails.

According to DFIR analysts, after an initial Qbot infection, threat actors move fast and conduct privilege escalation, with a reconnaissance scan taking place within the first ten minutes. Within the first half hour, Qbot steals victim’s emails and then uses them for reply-chain phishing attacks or sells them to other criminals. Qbot then steals Windows credentials from memory which are leveraged for lateral movement to other devices on the network. All of these activities occur on average within the first fifty minutes after the initial infection. Members can protect themselves against this malware by carefully screening suspicious emails they receive and never clicking on/downloading an attachment or link. Read more at BleepingComputer.