Qbot, also known as QakBot, is a banking trojan and has decided to use Egregor ransomware to carry out attacks.

It is a Windows malware that seizes bank credentials, Windows domain credentials, and allows remote access to threat actors who install ransomware.

Threat actors likely initiate Qbot via a phishing email campaign with a malicious attachment to its victims. The malicious document is usually an Excel file with a fake DocuSign page.

DocuSign documents are sent via email with a radio button to ‘Review Document’ that opens a URL with the pdf. But, if not accustomed to DocuSign, it is easy to fall victim to this type of attack. Do not click email attachments if you do not recognize the sender. This will be the main way to protect yourself from malicious threat actors looking to fool you and those throughout your organization.

Qbot has resigned from working with ProLock ransomware to begin its partnership with Egregor in hopes to continue the streak of big game hunting. Egregor has been active and extremely successful since their September emergence and their knowledge and expertise is expansive attributed to having ex-Maze hackers on the team.

Together, Egregor and Qbot will be able to compromise corporate networks. Qbot moves laterally across an environment. In addition, Egregor has been using Rclone for data exfiltration.

The following are usual naming conventions used by the operators:

  • exe
  • bat
  • exe

Ransomware attacks will not cease to exist any time soon, so our engineers are planning protection for organizations constantly and utilizing our EDR Platform, ShadowSpear® to maximize the security of an organization. Network defenders should apply these strategies and tools to avoid falling victim to malicious threat groups, though it usually begins with non-technical end-users. They must have an understanding of the importance of cyber awareness. After your employees are aware of the potential threats, utilizing a trusted Endpoint Detection and Response (EDR) tool will put your organization on an even higher level to protect your network.

Our cybersecurity professionals are always on alert for malware and manipulative programs by building cases on the threat groups and actors that are encountered on a daily basis. Our 24/7 Security Operations Center (SOC) is complete with certified security engineers to monitor and protect your environment.

Not only are they continuously preventing cyberattacks, but they can also deploy ShadowSpear® in your environment before or after an attack.