SECURITY
SECURITY
SECURITY
The banking trojan malware Qakbot is surging again. Here’s what it means for defenders
The banking trojan Qakbot has once again risen in popularity, because you just can’t keep well-designed and effective malware down.
A new report from Zscaler Inc.’s threat labs provides new details about the trojan virus that has been around since 2007 stealing banking credentials from around the world. Qakbot, which has also been called QBot or Pinkslipbot by other researchers, is very clever and adapts to changes in the threat landscape. Its attacks typically begin with a phishing lure and ends with a ransomware attack or obtaining stolen banking credentials.
Back in January, Microsoft disabled Office macros by default — and it was certainly about time, since default malware-laced macros have been a persistent thorn in security managers’ sides for years. So Qakbot switched over to using infected OneNote files to gain a toehold in users’ personal computers.
This choice proved effective cover, since users are familiar with the cloud repository and many use it for benign purposes. Over the years, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.
Zscaler documents a series of three different case studies from attacks observed during March, April and May 2023. In March Qakbot from using OneNote files to using infected PDF and HTML files. These files contained hidden malicious JavaScript code that masqueraded as invoices or other innocent-sounding names to lure unsuspecting users to click on them. This multistep attack chain is shown below:
Then in April, the Qakbot authors got even sneakier, using the Windows Script File format to conceal an encoded XML script that would download the malware’s actual payload. In May, the malware employed more sophisticated tools to hide its operations, using its own command-line tool to avoid potentially showing up in various anti-malware scanners.
Another clever technique was to check if the malware is running in a Microsoft Defender sandbox and then quickly terminate it, showing the effort to evade detection. All of this information was collected from samples from Zscaler customer networks, and its report documents further evasive maneuvers, and where the malware’s command-and-control servers are more active.
Qakbot activity peaked in June. This confirms another report from Lumen Technologies that documents how, once the malware infects a user’s PC, it then takes control and turns the machine into a command-and-control server for its network. Lumen found these servers quickly come and go, which makes the malware actions harder to track.
Since then, Cymru has published analysis of the Qakbot command-and-control infrastructure, showing new insights into where these servers are located and evidence of new servers created since the June slowdown.
Zscaler recommends that “organizations must remain vigilant and adopt best practices, including implementing multi-layered security defenses and conducting security awareness training.” Certainly, it’s key to make users aware that just because an attachment wants to make use of OneNote doesn’t mean that it’s legitimate.
Images: Pixabay, Zscaler
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
