Mallard Spider

Description

(The Hacker News) First documented in 2008, Qbot (aka QuakBot, QakBot, or Pinkslipbot) has evolved over the years from an information stealer to a ‘Swiss Army knife’ adept in delivering other kinds of malware, including Prolock ransomware, and even remotely connect to a target’s Windows system to carry out banking transactions from the victim’s IP address.

Attackers usually infect victims using phishing techniques to lure victims to websites that use exploits to inject Qbot via a dropper.

QakBot has been observed to be distributed by Emotet (operated by Mummy Spider, TA542).

Names

Name	Name-Giver
Mallard Spider	CrowdStrike
Gold Lagoon	SecureWorks

Country

• Unknown

Motivation

• Financial crime
• Financial gain

First Seen

2008

Tools

• Egregor
• Mimikatz
• ProLock
• QakBot

Operations

• 2020-03: PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ransomware/
• 2020-03: Ransomware Attack Renders LaSalle County Government Computers Unusable https://chicago.cbslocal.com/2020/03/04/ransomware-attack-renders-lasalle-county-government-computers-unusable/
• 2020-04: QBot malware is back replacing IcedID in malspam campaigns https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/
• 2020-05: FBI warns of ProLock ransomware decryptor not working properly https://www.bleepingcomputer.com/news/security/fbi-warns-of-prolock-ransomware-decryptor-not-working-properly/
• 2020-05: Ransomware Hit ATM Giant Diebold Nixdorf https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/
• 2020-05: ProLock Ransomware teams up with QakBot trojan for network access https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/
• 2020-08: Qbot steals your email threads again to infect other victims https://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/
• 2020-09: FBI issues second alert about ProLock ransomware stealing data https://www.bleepingcomputer.com/news/security/fbi-issues-second-alert-about-prolock-ransomware-stealing-data/
• 2020-09: ProLock ransomware increases payment demand and victim count https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases-payment-demand-and-victim-count/
• 2020-10: QBot uses Windows Defender Antivirus phishing bait to infect PCs https://www.bleepingcomputer.com/news/security/qbot-uses-windows-defender-antivirus-phishing-bait-to-infect-pcs/
• 2020-11: QBot phishing lures victims using US election interference emails https://www.bleepingcomputer.com/news/security/qbot-phishing-lures-victims-using-us-election-interference-emails/
• 2020-11: QBot partners with Egregor ransomware in bot-fueled attacks https://www.bleepingcomputer.com/news/security/qbot-partners-with-egregor-ransomware-in-bot-fueled-attacks/
• 2020-12: Qbot malware switched to stealthy new Windows autostart method https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/

Information

• https://thehackernews.com/2020/08/qakbot-banking-trojan.html

Other Information

Uuid

4233110f-f984-47ac-80fe-7988a4916505

Last Card Change

2021-08-10