Qbot, an information stealer active since 2007, has re-emerged after a law enforcement disruption in May 2024. New research reveals connections between Qbot, Zloader, and BlackBasta ransomware. A new backConnect malware, likely developed by Qbot operators, uses DLL side-loading techniques and RC4 encryption. The malware checks for running copies of itself, uses registry keys for configuration, and communicates system information to its command and control server. Analysis of related files suggests potential use in future ransomware attacks. The report provides IOCs and a YARA rule for detection. Author: AlienVault
Related Tags:
QBot
QuackBot
Pinkslipbot
QakBot – S0650
T1573.002
T1573.001
zloader
T1547.001
T1071.001
Associated Indicators:
4B4398F64E574CFDB8DE05D388D97ED255E888045F0316808311F51F63212EFB
98D38282563C1FD09444724EACF5283626AEEF36BCB3EFA9D7A667DB7314D81F
7215D9421E0A6D1A7CFDE3F6D742670550FED009585AB35B53CBB845F63C5F74
651E49A45B573BB39E21746CB99FCD5D17679E87E04201F4CC6CA10FF2D166E4
4A6869736864694932556873766F6339346B65696F6A6E376E7331396D30646F
C8BDDB338404A289AC3A9D6781D139314FAB575EB0E6DD3F8E8C37410987E4DE
F09804B59A3AAC7C1DD47C7E027182FB54F9A277
19E491A4C69DE056C77D05BA671870818D4F7F80
88E88716E6099E2E82CF3B8AD08B371C0A7B91E8