An Analysis of Qbot Variants in the Wild

An Analysis of Qbot Variants in the Wild

October 1, 2018 | Adeline Zhang

Overview

Since their source code was publicly released on GitHub, Mirai and Qbot have wreaked havoc on the Internet of things (IoT). Before such public release, Mirai had been found to have adversarial behavior against Qbot in its infection process.

Recently, the research team of NSFOCUS Threat Intelligence center (NTI) captured the first Qbot variant that incorporates the scanning signature of Mirai as well as a number of exploits for spreading.

An analysis of the spreading method finds that the variant mainly targets routers and home gateway appliances of Internet users (including businesses, enterprises, and individual users that require high network quality) with high-quality networks.

During monitoring of Qbot and its variants, NTI has discovered quite a few Qbot variants, indicating that the malware is currently quite active and busy setting up botnets.

Variant Updates

  1. The scanning and encryption/decryption modules of Mirai are added.
  2. Exploits of CVE-2014-8361, CVE-2015-2051, and CVE-2017-17215 vulnerabilities and a vulnerability in D-Link DSL-2750B disclosed on May 15, 2018 are added.
  3. Bots’ requests for connecting to the C&C server contain different payloads, indicating that attackers may belong to different groups.
  4. Command changes are varied. Although the update field is found in modified commands, attackers do not really implement it so that this string of characters is merely a matter of form without actual functionality. However, we still need to keep an eye on it for any possible development.

Technical Details

The following Qbot variant has a code structure similar to that of Mirai and completely reuses the scanning code of the latter. For this reason, most antivirus software identifies it as Mirai.

The method of decrypting weak passwords is also the same as that used by Mirai:

What’s new in this variant includes exploits of the following vulnerabilities:

CVE-2014-8361, CVE-2015-2051, and CVE-2017-17215, and a vulnerability in D-Link DSL-2750B disclosed on May 15, 2018

Command control and server connection:

The command format of Qbot is used, with command separators changed to “.”.

The length of command words is shortened:

In the past few days, we have captured other Qbot variants, whose server connection requests contain different payloads:

[HAKAI] Connected [ ARCH:%s ] [ HOST:%s ]\x1B[0m

\x1B[1;36m Sex\x1B[1;31m Demon Connected!!:%s Arch:%s\x1B[34m

BUILD %s:%s

BU1LD IP: %s BUILD: %s

These variants, however, do not contain a scanning module or exploits and are only delivered and spread once and for all by leveraging weak passwords for telnet access.

Each variant modifies commands one way or another. In a Qbot variant most recently discovered, we spotted the update field, which, however, is not really implemented.

We also captured some attack data. Repeated UDP flood and STP flood attacks were detected in only a few minutes, indicating that attackers were extremely active.

IOC

Related samples:

  • 327798AB42D8280822D911B9138B4B7B -exploit
  • 51C9CE815047A53C8E374DE95D364CE5 -x86_64
  • 7F5D3C30DC16C572F96108DBAA234191 -x86_64
  • 4A39B5A06935F6371212D3028551EC40 -mips

Target IP addresses:

  • *.*.147
  • *.*.8
  • C&C IP:
  • *.*.71
  • *.*.15
  • *.*.21