"Qbot Needs Only 30 Minutes to Steal Your Credentials, Emails"

According to a new report from DFIR, Qbot, also known as Qakbot and QuakBot, has returned with fast attacks. It takes around 30 minutes for the malware to steal a victim's sensitive data after the initial infection. Researchers discovered Qbot carrying out light-speed attacks in October 2021, and now the threat actors behind the malware appear to be using similar tactics. An analysis of Qbot's attack timeline shows that it moves quickly to perform privilege escalation after an infection, while a full reconnaissance scan is conducted within ten minutes. Qbot's initial access is typically gained through an Excel (XLS) document that deploys a macro to drop the Dynamic Link Library (DLL) loader on the target machine. The malware steals emails within 30 minutes after the initial execution, which the threat actors then use for replay-chain phishing attacks and sell to other malicious actors. Qbot steals Windows credentials from memory by injecting commands into LSASS (Local Security Authority Server Service) and from web browsers. These credentials are used for lateral movement to other devices on the network, initiated 50 minutes after the first execution. As the lateral movement is rapid, defense teams face a significant challenge if there is no network segmentation to protect workstations. The Qbot threat actors also often use some compromised systems as first-tier proxy points for address masking and rotation, and use multiple ports for SSL communication with the command-and-control (C2) server. This article continues to discuss recent findings regarding Qbot's timeline, capabilities, and versatility. 

Bleeping Computer reports "Qbot Needs Only 30 Minutes to Steal Your Credentials, Emails"