# Qbot needs only 30 minutes to steal your credentials, emails **[bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/](https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) February 8, 2022 03:12 AM 0 The widespread malware known as Qbot (aka Qakbot or QuakBot) has recently returned to light-speed attacks, and according to analysts, it only takes around 30 minutes to steal sensitive data after the initial infection. According to a [new report by The DFIR Report, Qbot was performing these quick data-](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/) snatching strikes back in October 2021, and it now appears that the threat actors behind it have returned to similar tactics. More specifically, the analysts report that it takes half an hour for the adversaries to steal browser data and emails from Outlook and 50 minutes before they jump to an adjacent workstation. ## The timeline of an attack ----- As shown in the following diagram from the researcher s report, Qbot moves quickly to perform privilege escalation immediately following an infection, while a full-fledged reconnaissance scan takes place within ten minutes. **Timeline of a** **typical Qbot attack** _Source: The DFIR Report_ [Initial access for Qbot infections is typically achieved via phishing emails with malicious](https://www.bleepingcomputer.com/news/security/microsoft-these-are-the-building-blocks-of-qbot-malware-attacks/) attacks, such as Excel (XLS) documents that use a macro to drop the DLL loader on the target machine. Historically, BleepingComputer has seen Qbot phishing campaigns use various malicious document templates. For example, one document template pretends to be a warning from "Windows Defender Antivirus," providing instructions on enabling macros. ----- **Qbot phishing document** _Source: BleepingComputer_ When launched, the Qbot DLL payload will be injected and launched into legitimate Windows applications to evade detection, such as MSRA.exe and Mobsync.exe. For example, in The DFIR Report's analysis, Qbot injected into MSRA.exe and then created a scheduled task for privilege elevation. Additionally, the malware adds the Qbot DLL to Microsoft Defender's exclusion list, so it won't be detected when injection into msra.exe happens. **Discovery commands injected into msra.exe** _Source: The DFIR Report_ The malware steals emails in half an hour after the initial execution, which are then [commonly used for future replay-chain phishing attacks.](https://www.bleepingcomputer.com/news/security/qbot-steals-your-email-threads-again-to-infect-other-victims/) ----- The researchers note that Qbot will also steal Windows credentials by dumping the memory of the LSASS (Local Security Authority Server Service) process and by stealing from web browsers. These credentials can then be used to spread to other devices on the network laterally. The DFIR Report states that it only took on average fifty minutes for credentials to be dumped after the malware was first executed. The lateral movement takes place rapidly, so if there's no network segmentation to protect the workstations, the situation becomes very challenging for defense teams. The impact of these expeditious attacks isn't limited to data loss, as Qbot has also been observed in the past to drop ransomware payloads onto compromised corporate networks. Ransomware gangs known to have partnered with Qbot for initial access to corporate [networks include REvil, Egregor,](https://www.bleepingcomputer.com/news/security/qbot-partners-with-egregor-ransomware-in-bot-fueled-attacks/) [ProLock, and](https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/) [MegaCortex.](https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-found-targeting-business-networks/) ## A versatile infection [A Microsoft report from December 2021 captured the versatility of Qbot attacks, making it](https://www.bleepingcomputer.com/news/security/microsoft-these-are-the-building-blocks-of-qbot-malware-attacks/) harder to evaluate the scope of its infections accurately. However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email, so this is the main access point that organizations need to strengthen. Today's announcement by Microsoft that they will be blocking macros in downloaded documents by default by removing the 'Enable Content' and 'Enable Editing' buttons will go a long way to protecting users from Qbot phishing attacks. ### Related Articles: [New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps](https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware-steals-accounts-wallets-from-467-apps/) [Phishing websites now use chatbots to steal your credentials](https://www.bleepingcomputer.com/news/security/phishing-websites-now-use-chatbots-to-steal-your-credentials/) [Fake crypto sites lure wannabe thieves by spamming login credentials](https://www.bleepingcomputer.com/news/security/fake-crypto-sites-lure-wannabe-thieves-by-spamming-login-credentials/) [Emotet botnet switches to 64-bit modules, increases activity](https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/) [Emotet malware infects users again after fixing broken installer](https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is ----- currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----