Qakbot’s Password-Stealing Malware Evades Detection
By: Jim Stickley and Tina Davis
September 29, 2019
It’s not bad enough that banking passwords and account numbers get stolen. Now, a banking Trojan that’s been stealing financial passwords for over a decade has recently become nearly impossible to detect. Qakbot, also called Qbot, has reappeared in a way that bypasses security software. Qakbot has not gone unnoticed by the FBI, which released a public bulletin warning about the Trojan bot credential-stealing malware. The bulletin finds Qakbot is now capable of easily spreading across a network. Infecting computers since 2009, there’s been an increased rash of reporting about Qakbot and security experts are finding new variants of its malware are popping-up everywhere.
One of Qakbot’s newest iterations is obfuscation, or the ability to remain undetected. For ten years, the malware targeted financial institutions in the U.S. and rapidly spread to include victims worldwide. The lone aim of the malware is targeting businesses with one goal in mind: Steal login credentials and clean-out bank accounts. New variants have the ability to change tactics once inside a system. The roadblocks Qakbot may encounter, including security software, are avoided by the malware’s ability to modify its tactics in real time, allowing it to stay undetected while collecting its payload.
The original version of Qakbot uses a combination of techniques for its attacks, including keylogging, which captures keyboard strokes, allowing passwords and account numbers typed onto a keyboard to be stolen. Qakbot also uses credential exfiltration that gains access to company systems and allows hackers to collect browsing activity along with bank account credentials and other financial information. Another technique Qakbot uses is called hooking. In this case, it intercepts any messaging within a system to help it remain imperceptible.
Recent findings of Qakbot’s latest version shows it is likely spreading through email phishing attacks. A zip file carrying a malicious VBScript helps Qakbot spread and was discovered attached to a phishing email. As of now, the future devastation Qakbot may bring to the world of finances is yet to be known. As the malware continues to morph into new and improved tactics, an effective way to fight Qakbot has yet to be discovered.
In the meantime, look out for phishing lures in email messages. If the sender is unfamiliar, an attachment or links is not expected, a popup appears asking for admin permissions or to enable macros, don’t bite. Instead, independently verify the message by placing a phone call or sending a new email message using information you know to be legitimate. As always, taking a walk to someone’s desk is also very effective for thwarting phishing.