Qbot (aka Qakbot) BotnetRussian involvement
In what could be the wake up call for both the United States Federal authorities and banking officials, more than half (59 per cent) of sniffed sessions were reportedly from accounts at five of the largest US banks.
Russian involvement
Proofpoint has traced the infrastructure of QBot all the way to Russia. The researchers said that the there was a Russian speaking cybercrime group behind the scam and it was targeting American as well as European banks around the globe though the primary targets seemed American banks. The key facts that have emerged from Proofpoint analysis are given below :
Russian-speaking cybercrime group targeted primarily US-based systems and online banking accounts. Qbot (aka Qakbot) botnet of 500,000 infected systems sniffed ‘conversations’ – including account credentials – for 800,000 online banking transactions, with 59% of sniffed sessions representing accounts at five of the largest US banks. The attackers compromised WordPress sites using purchased lists of administrator logins, with which they were able to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these WordPress sites also run newsletters, which the attackers leverage to distribute legitimate but infected content. Windows XP clients comprised 52% of the infected systems in the cybercrime group’s botnet, even though recent estimates place the Windows XP install base at 20-30% of business and consumer personal computers. Microsoft ended patch and update support for Windows XP in April 2014. The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups. The service turns infected PCs into infiltration points for attackers an illicit ‘private cloud’ as well as infiltration points into corporate networks.
The security firm said the attackers launched the assault from compromised WordPress sites using drive-by-download style attack tactics. The report says that the cybercriminals obtained the authorised WordPress administrator logins through online legit purchases. Windows XP clients comprised 52 per cent of the infected systems in the cybercrime group’s botnet. The cybercrime group also made money by selling access to compromised systems on underground forums. The effects of the QBot banking trojan are not known as of now. But considering the fact that QBot sniffed such high degree of online banking transactions, financial losses may be huge. A detailed PDF file of the Proofpoints research on QBot banking trojan can be downloaded here (Registration required)