A team of leading cyber experts has identified a new strain of Qbot, malicious software that has infected over 54,000 PCs in thousands of organisations across the world. An emergency response to a Qbot attack on a public sector organisation has given BAE Systems unparalleled insight into how the updated malware infects hosts, updates itself and hides from all but a very few antivirus and malware defences.
Following an attack on the organisation in early 2016 that affected more than 500 computers and impacted the operation of critical systems, BAE Systems’ analysts discovered a number of modifications had been made to the original Qbot malware to make it harder to detect and intercept. These included a new ‘shape changing’ or polymorphic code, which meant that each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different programme to researchers looking for specific signatures.
In addition, automated updates to the malware generated new, encrypted versions every six hours, outpacing efforts to update software on customer computers, which helped the virus to spread. The new Qbot also checks for signs that it is running in a ‘sandbox’ – a tool used to spot malware before it reaches users’ inboxes. Sandboxing is accepted by many organisations as the de facto defence against malicious email content, and malware authors are now going to great lengths to defeat it.
Professional cyber criminals were found to be specifically targeting public organisations such as police departments, hospitals and universities. BAE Systems’ expert analysis revealed Qbot’s international network of infected machines currently runs to more than 54,000 PCs due to the malware’s ability to spread automatically without any outside instruction. Due to a combination of detection avoidance and automated infection, there is a risk that Qbot will continue to spread unless organisations take steps to protect themselves.
Adrian Nish, Head of Cyber Threat Intelligence at BAE Systems, commented:
“Many public sector organisations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks. In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organisation to the spreading problem.
“This case illustrates that organisations must remain alert to, and defend against, new and evolving cyber threats. Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly.”
The team at BAE Systems worked to understand the malware’s own command and control network to work out how stolen data was being uploaded. In addition, they were able to identify how the programmers altered the destination of the stolen data each time, one of the ways in which the attackers can avoid detection and interception.
BAE Systems has published a White Paper on the Qbot malware. To view or download a copy of the full report, please click here.
For further information, please contact:
Jenny Szweda, BAE Systems
M: 07867 537 549
Tanya Pennells, Bite
T: 0208 834 3486
BAE Systems plc
Tel: +44 (0) 1252 384719
Notes for Editors
About BAE Systems
At BAE Systems, we provide some of the world’s most advanced technology defence, aerospace and security solutions.
We employ a skilled workforce of 82,500 people in over 40 countries. Working with customers and local partners, our products and services deliver military capability, protect people and national security, and keep critical information and infrastructure secure.
At BAE Systems Applied Intelligence, we help nations, governments and businesses around the world defend themselves against cybercrime, reduce their risk in the connected world, comply with regulation, and transform their operations.
We do this using our unique set of solutions, systems, experience and processes - often collecting and analysing huge volumes of data. These, combined with our Cyber Special forces - some of the most skilled people in the world, enable us to defend against cyber-attacks, fraud and financial crime, enable intelligence-led policing and solve complex data problems.
We employ over 4,200 people across 18 countries in the Americas, APAC, UK and EMEA. For further information about BAE Systems Applied Intelligence, please visit www.baesystems.com/businessdefence