Skip to main content
close search
site logo
Dive Brief

Banking trojan resurfaces targeting JPMorgan, Capital One

Published June 17, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Josh Appel for Unsplash

Dive Brief:

  • Qbot, a piece of malware more than a decade old, has resurfaced in recent weeks, Justin Heard, security engineer at Nuspire, told CIO Dive. The bank keylogging trojan "was kind of quiet there for a while," but the threat detection company picked up on indicators the variant was active. 
  • In the last several days, researchers from F5 Labs found Qbot targeting major financial organizations, including JPMorgan, SunTrust, Capital One and Bank of America. 
  • Qbot, also known as W32/Pinkslipbot or Qakbot, formerly relied on worm-like capabilities to avoid detection. The latest variant uses a "new packing layer" that hides its code from scanners and signature-based tools, according to F5 Labs.

Dive Insight:

Qbot's modus operandi has not changed since its debut in the wild over a decade ago. Qbot's infection is typically initiated by phishing, a threat which spiked during the coronavirus pandemic

The worm-like trojan steals banking credentials, email passwords and signing certificates. Qbot can give its operators full control of an infected system by leveraging "command-based backdoor operated by the control server as well as a virtual network computing-based backdoor," according to McAfee

Qbot's operators made a list of targets in an organized campaign primarily in the U.S. in the latest resurgence. However, due to Qbot's tendency to fall off and then reappear on the threat radar, researchers have issue with "gauging" it's impact globally, according to F5 Labs.

Threat hunting is also viewed as one of the last lines of defense, often portrayed as "hand-to-hand combat" with cyber adversaries. The practice is more in tune with asking "are we compromised in a way our current detection systems are not detecting?" 

Cybersecurity professionals tend to agree that threats are ever-present in systems — when threat hunters can't find any, security teams have to explore how and why a threat could evade detection. While Qbot runs on Windows-based systems, the latest variant has anti-virtual machine techniques, which allow it to circumvent forensics. 

There are "definitely more credentials" floating around the dark web currently because businesses are largely using remote desktop protocol for database access, according to Heard. Bad actors are readying to sell credentials or initiate attacks. "I feel like they're collecting a lot of data right now." 

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell