BAE Qbot Report

The malware Qbot relies on stealth to secretly steal victims' credentials, but an unexpected glitch during a recent cyberattack alerted researchers to a new campaign featuring a more virulent strain of the software.

According to a white paper and corresponding release, BAE Systems discovered a new variant of Qbot — the original dates back to 2009 — featuring significant modifications to avoid detection, including:

  • polymorphic code that disguises Qbot's coding signatures
  • automated updates that generate new encrypted versions every six hours to outpace software updates
  • the ability to identify sandbox environments to thwart malware researchers

BAE determined the Qbot variant has infected more than 54,000 PCs globally. However, the plot was uncovered when the malware caused several Windows XP-based computers at a public sector organization to crash. "The criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them,” said Adrian Nish, BAE's head of cyber threat intelligence in a company statement.