New stolen digital certificates are used by the multi-purpose backdoor Qbot.
The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed. The stolen certificate was issued to a company called Word & Brown and was later revoked by Verisign.
Yesterday, the virus-writers built a new variant of this multi-purpose backdoor. It uses a new packer, which is quite distinct from those used in previous releases. ESET’s scanning engine was able to detect the trojan heuristically.
These new samples are again digitally signed using a different certificate to the one used before. The current one was issued to Towers Watson & Co and at the time of this writing, we are working on having this certificate revoked.
ESET security software detects these versions of the trojan as Win32/Qbot.AY. A careful reader may have noticed that the detection name is the same as the one mentioned in my previous post. The reason for this is that, under-the-hood, yesterday’s update isn’t really a new variant. It’s the same malware, but a new packer (outer layer for avoiding detection) and a new digital certificate have been used.
Robert Lipovsky
Malware Researcher