Cybersecurity and Qakbot
Qakbot: Much more than it's cracked up to be
Charles Parker, II
Malware is a valid, viable tool for attackers. There are the usual variants that have been coded over time. As these are introduced over time, the signature attack became known and the defensive systems know to look for these. The attackers clearly are aware of this and code variants of this malware to evade detection. One such example is Qakbot.
Qakbot is not a new malware example. This has been around since 2007, making it an old veteran of the computer infection/malware game. While this has been in the environment for such an extended period, it is still a viable attack tool, especially with the nuance as of late.
This works via propagating with network shares. This was designed to not only disable a node, but also an entire network. This works with multiple components is endeavors. The early variants used the “.qbot” string. This used a single layer of encryption when encrypting the machines.
As time passed, the later variants set the configuration files to hidden. To yet further obscure the files, and folders, this also used random names. To further complicate the host’s workflow, the configuration file’s encryption was doubled.
With this iteration, to infect the client, the attacker may lure the victim to a malicious site, which would host the exploit kit. They also may simply email the special pdf to the victim. As the victim becomes infected, the malware began to detect if the user was visiting a banking or finance related website. Specifically, this malware was coded to detect activity with JPMorgan Chase, Citibank, Citigroup, Huntington Bank, Bank of America, Wells Fargo, 5/3 Bank, Key Bank, PNC Bank, and others.
This was also configured to harvest credentials from Windows machines, Outlook, Windows Live Manager, RDP, and Gmail messenger. If this was not enough, the malware also looked for Internet Explorer’s password manager.
In the cybersecurity field, not all malware has such a long, viable life in actually being useful in attacks. With this iteration, there are many components, with each of these functioning differently. A useful update is when it detects being in a VM, the malware uninstalls itself. With this function, it would be substantially difficult for the researcher to reverse engineer the sample or monitor its acts, as it removes itself. The malware isn’t static, offering a difficulty in placing a signature in the AV tools, as the malware is updated as needed from the C&C center. To make itself even more difficult in detecting, the updates are designed to mutate its appearance. At one point in this cycle, 85% of the infected systems were in the US. The primary successful targets were the academic, government, and healthcare industries. This level of penetration was mostly due to its code allowing it to modify itself.
Cluley, G. (2016, April 16). Mutating qbot worm infects over 54,000 PCs at organizations worldwide. Retrieved from https://www.tripwire.com/state-of-security/featured/qbot-malware/
Dela Torre, J. (2011, September 1). Qakbot: A disaster waiting to happen. Retrieved from https://www.virusbulletin.com/virusbulletin/011/09/qakbot-disaster-waiting-happen
Millman, R. (2019, May 3). Qakbot malware avoids discovery by breaking itself in two. Retrieved from https://www.scmagazineuk.com/qakbot-malware-avoids-discovery-breaking-itself-two/article/153689
Trend Micro. (2011, January 12). QAKBOT: A prevalent infostealing malware. Retrieved from https://www.trendmicro.com/vinfo/us/threat-encyclepedia/web-attack/80/qakbot-a-prevalent-infostealing-malware
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.