UPDATED 13:11 EST / JULY 26 2023

SECURITY

The banking trojan malware Qakbot is surging again. Here’s what it means for defenders

The banking trojan Qakbot has once again risen in popularity, because you just can’t keep well-designed and effective malware down.
new report from Zscaler Inc.’s threat labs provides new details about the trojan virus that has been around since 2007 stealing banking credentials from around the world. Qakbot, which has also been called QBot or Pinkslipbot by other researchers, is very clever and adapts to changes in the threat landscape. Its attacks typically begin with a phishing lure and ends with a ransomware attack or obtaining stolen banking credentials.
Back in January, Microsoft disabled Office macros by default — and it was certainly about time, since default malware-laced macros have been a persistent thorn in security managers’ sides for years. So Qakbot switched over to using infected OneNote files to gain a toehold in users’ personal computers.
This choice proved effective cover, since users are familiar with the cloud repository and many use it for benign purposes. Over the years, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.
Zscaler documents a series of three different case studies from attacks observed during March, April and May 2023. In March Qakbot from using OneNote files to using infected PDF and HTML files. These files contained hidden malicious JavaScript code that masqueraded as invoices or other innocent-sounding names to lure unsuspecting users to click on them. This multistep attack chain is shown below:
Then in April, the Qakbot authors got even sneakier, using the Windows Script File format to conceal an encoded XML script that would download the malware’s actual payload. In May, the malware employed more sophisticated tools to hide its operations, using its own command-line tool to avoid potentially showing up in various anti-malware scanners.
Another clever technique was to check if the malware is running in a Microsoft Defender sandbox and then quickly terminate it, showing the effort to evade detection. All of this information was collected from samples from Zscaler customer networks, and its report documents further evasive maneuvers, and where the malware’s command-and-control servers are more active.
Qakbot activity peaked in June. This confirms another report from Lumen Technologies that documents how, once the malware infects a user’s PC, it then takes control and turns the machine into a command-and-control server for its network. Lumen found these servers quickly come and go, which makes the malware actions harder to track.
Since then, Cymru has published analysis of the Qakbot command-and-control infrastructure, showing new insights into where these servers are located and evidence of new servers created since the June slowdown.
Zscaler recommends that “organizations must remain vigilant and adopt best practices, including implementing multi-layered security defenses and conducting security awareness training.” Certainly, it’s key to make users aware that just because an attachment wants to make use of OneNote doesn’t mean that it’s legitimate.
Images: Pixabay, Zscaler

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU