LONDON, April 12 — A new strain of Qbot malicious software that self-updates is being used to attack public sector organizations around the world, BAE Systems reports.
More than 54,000 computers in thousands of organizations — such as police departments, hospitals and universities — have been infected with the virus so far by cyber-criminals, according to its white paper report.
“Many public sector organizations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks,” said Adrian Nish, Head of Cyber Threat Intelligence at BAE Systems. “In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organization to the spreading problem.”
BAE Systems said Nash was referring to an organization that was attacked early this year, with 500 computers infected. An emergency response to the Qbot attack on the public sector organization gave BAE Systems insight into how the updated malware infects hosts, updates itself and hides from all but a very few antivirus and malware defenses.
“Qbot first came to light in 2009, but this new version is equipped with advanced tools to escape detection and infect quickly,” he said.
The modified features include a “shape changing” or polymorphic code. Each time the malware’s code was issued by the servers controlling it, it was compiled afresh with additional content, making it look like a completely different program to researchers looking for specific signatures.
Automated updates to the malware generated new, encrypted versions every six hours to update software on computers, which helped the virus to spread. It also checks for signs that it is running in a “sandbox” — a tool used to spot malware before it reaches users’ inboxes.
“This case illustrates that organisations must remain alert to, and defend against, new and evolving cyber threats,” Nish said.
A BAE Systems specialist team came to understand the malware’s command-and-control network to discover how stolen data was being uploaded. It also was able to identify how the programmers altered the destination of the stolen data each time to avoid detection and interception.