Security researchers have detected a new, updated strain of the data-stealing trojan Qbot that is “harder to detect and intercept”.
According to a detailed report by BAE systems, the malware has already infected more than 54,000 computers across thousands of organizations. ESET detects this threat as Win32/Qbot and Win32/Kryptik.
Analysts said that a number of updates have been made to the original Qbot malware, including a “shape-changing” and “polymorphic” code that makes it more difficult to detect.
As noted by IT Pro, the malware can also detect if is being looked at in a sandbox environment – a tool used by security researchers to spot malware before it can cause damage to users.
An incident response team at BAE Systems discovered the new threat in early 2016, when 500 computers belonging to an unnamed public sector organization were infected.
The BAE Systems blog notes that cybercriminals have specifically targeted public organizations including police departments, hospitals and universities.
Adrian Nish, head of Cyber Threat Intelligence at BAE Systems, explained: “Many public sector organizations are responsible for operating critical infrastructure and services, often on limited budgets, making them a prime target for attacks.
“In this instance, the criminals tripped up because a small number of outdated PCs were causing the malicious code to crash them, rather than infect them. It was this series of crashes that alerted the organization to the spreading problem.”
The BAE Systems report categorizes Qbot as a network-aware worm with backdoor credentials, primarily used for harvesting user credentials.
It’s noted that Qbot could still continue to spread, and organizations are being recommended to update and search their defensive systems to identify attacks.