By malware standards, the banking trojan Qbot is long in the tooth, but it still has some bite, according to researchers who say it has added some detection and research evasion techniques to its arsenal.
“It has a new packing layer that scrambles and hides the code from scanners and signature-based tools,” wrote Doron Voolf, malware analyst at F5 Labs (part of F5 Networks), in a recent company blog post. “It also includes anti-virtual machine techniques, which helps it resist forensic examination.”
F5 Labs discovered the new additions while analyzing a Qbot sample that was detected earlier this year. Active since 2008, Qbot is designed to collect victims’ browsing activity and steal their bank account credentials via keylogging, credential theft, cookie exfiltration, and process hooking, Voolf notes.
This latest sample was programmed to harvest credentials primarily from U.S. banks and their online financial services offerings. F5 identified 36 targeted U.S. financial institutions and two banks in Canada and the Netherlands, including J.P. Morgan, Citibank, Fifth Third Bank, U.S. Bancorp, Citizens Bank, Keybank, Bank of America, Capital One, First Citizens Bancshares, First Horizon Bank, SunTrust, Compass Bank, TD Bank, Wells Fargo, Frost Bank, TCF Bank, Huntington Bancshares, M&T Bank, Scotiabank, First Merit Corporation, Eastern Bank, ABN AMRO, PNC Bank, Silicon Valley Bank and others. The researchers also found six generic URL targets “that might be added as a second stage in the fraud action.”