This password-stealing malware just evolved a new tactic to remain hidden

malware

Malware Summary

Qakbot or Qbot also known as bank malware has been in the threat landscape since 2008 similar to Rubber Ducky, Mimikatz, and is considered one of the most effective malware families of the past decade, in part because its source code is available to cybercriminals, so it can be easily modified and extended. Primarily developed to steal banks login and compromised credentials. With it recent emergence it appears that attackers have continued to ‘metamorphose’ Qbot and develop latest obfuscation techniques meant for stealthy scheme.

Infection Chain

Initially distributed through phishing emails passes through victims via a dropper. Once infected, a victim machine will create a scheduled task. This task will perform a JavaScript downloader that makes a request to one of several hijacked domains. Prone targets are Microsoft Windows systems in an effort to create backdoors and make off with the usernames and passwords which can provide access to financial information.

Conclusion

There has been a change in the infection chain of Qakbot that makes it more difficult for traditional anti-virus software to detect. This may allow the download of the malware to go undetected, as the malware is obfuscated when it is downloaded and saved in two separate files. These files are then decrypted and reassembled using the type command.  Malware Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Once deployed on an infected system, the Trojan malware will work in the background to steal the relevant data for the goals of the attackers.

Malware Deterrence

Users are advised not to open or execute files from unknown origin. Ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Address blocking, firewall dropping connection from suspicious source. Network port blocking from compromise computers have been known to use a TCP port between 16666 and 16669. Open network share only when needed. But the best form of protection against Qakbot is to stop it from being deployed onto the machine, because even when the malware is removed, it can still cause ongoing issues and executable files could still rerun as schedule.

 

About the author

Leave a Reply