A detailed analytical report by a security firm revealed the technical aspects of QakBot, a decade-old banking Trojan. Active since 2007, it has continued to claim victims and simultaneously evolved during those times.

The attack chain analysis

Kaspersky has released the technical analysis report detailing the trojan’s infection chain, typical functions, communication with C2, and more.
  • QakBot is mostly known for targeting its victims via spam. Since last year only it started including phishing emails with ZIP attachments (Office documents).
  • The documents include macros and victims are urged to open the attachment that claimed to have important information. In some instances, emails had links to web pages spreading malware-laced documents.
  • Then, it uses a DLL binary loader, communicates with the C2 server, and pushes ProLock ransomware.
  • Usually, QakBot malicious activities collect information about the compromised host, creating scheduled tasks, credentials harvesting, and registry manipulation, among others.

The report also shed light on additional modules and statistics regarding QakBot-based attacks.

Additional insights

  • The report suggests that the malware has a list of 150 IP addresses added inside the loader binary resource. These addresses are mostly from infected systems that are used as a proxy to forward traffic to another proxy or main С2.
  • Actors use multiple additional modules identified as Cookie Grabber, Hidden VNC, Email Collector, Hooking module, Pass Grabber module, Proxy module, and Web inject.

Figures of the rising threat

In the first seven months of this year, Kaspersky spotted 181,869 attempts to download or execute QakBot. This number is lower than the detection from January to July 2020.
  • The number of targeted users increased by 65% from last year and now has reached 17,316.
  • In Q1 2021, 12,704 Kaspersky users were targeted, of which 8,068 users were hit in January and 4,007 were hit in February.


Qakbot has been stealing information and performing many other disruptive functions for greater financial gains. The threat, as it appears, is here to stay. Therefore, one needs to watch its activities and ensure the right security measures are in place across different endpoints.

Cyware Publisher