Security News > 2020 > December > Qbot malware switched to stealthy new Windows autostart method
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep.
Starting with November 24, when Binary Defense threat researcher James Quinn says that the new Qbot version was spotted, the malware is using a newer and stealthier persistence mechanism that takes advantage of system shutdown and resume messages to toggle persistence on infected devices.
Qbot's installation technique has also been updated in this new version as it uses a new DLL architecture which combines the malware loader and the bot within a single DLL. Previously the loader evaded detection by automated malware sandbox systems by storing all the malicious code in a separate DllRegisterServer component and only calling it via regsvr32.
"Removing the command line switches and analysis checks through new process creation, the new loader's installation mechanism only occurs after the bot has been injected into explorer.exe," Quinn adds.
Qbot has also switched to a new in-registry encrypted config from the.