Qbot & IcedID Loader are the Dons Given Don Emotet Sleeps with the Fishes

Arun Kumar S, Rajeshkumar R

K7 Computing pvt ltd

Abstract:

Operation Ladybird that took down Emotet in January 2021 indeed dealt a severe blow to the cybermafia, but the quick surge that we have observed in Qbot and IcedID Loader since then has clearly shown that the baton was always ready to be passed on.

Similar to Emotet, IcedID Loader and Qbot evolved from traditional Banking Trojans, used for banking credential harvesting, to early stage loaders within the framework of Malware-as-a-Service for the delivery of other malware, most notably prominent ransomware. They now render the service of gaining unauthorised footholds into organisations to ransomware groups; whereas IcedID Loader helps push Maze and EGREGOR ransomware, Qbot delivers Prolock and REvil ransomware. In its heyday, and the Pandemic was its open hunting season, Emotet had delivered Trickbot and Ryuk ransomware. Nowadays, Qbot and IcedID Loader, the new dons, mimic Emotet’s style of TTPs and operate on its turf.

The latest IcedID Loader is a two-staged malware; the first stage exfiltrates victim data and sends it to the C&C which, in turn, responds with an appropriate secondary payload, typically the delivery agent. Qbot has its main payload, a DLL file, encrypted and embedded within its resources, which would contact the C&C. Both Qbot and IcedID Loader implement an array of Anti-VM, Anti-Analysis and persistence methods, and Email Thread Hijacking, an effective technique employed by Emotet to lure victims, is now adopted and adapted by its successors too. Qbot also employs a self-process hollowing technique to evade deeper scrutiny, whilst IcedID Loader has used steganography for concealing its payloads. Both the malware follow a modular architecture, Emotet’s forte, contributing to campaign successes.

Emotet had wreaked havoc globally across multiple industries and government agencies, and its legacy has not withered away. Its successors, Qbot and IcedID Loader, were primed and ready to continue the mayhem. Both these malware have churned out variants customised for specific campaigns, upgrading different layers across the kill chain each time, right from the spam mail to the final payload. In this talk we will examine in technical detail the effective modular architecture and Malware-as-a-Service setup, reminiscent of Emotet, of both Qbot and IcedID Loader, focussing on the rapid evolution of their respective granular TTPs.