Qakbot leverages updated persistence mechanism to evade detection

• Researchers have observed an updated persistence mechanism used by Qakbot to evade detection from most antivirus solutions.
• Qakbot goes undetected when downloaded, as the malware is obfuscated when it is downloaded and saved in two separate files.

Qbot, also known as Qakbot is a banking trojan which has been active since 2008. Recently, researchers have observed an updated persistence mechanism used by the trojan to evade detection from most antivirus solutions.

What are the new changes made to the trojan?

Usually, the Qakbot infected machine will create a scheduled task that executes a JavaScript downloader and makes a request to one of the several hijacked domains. The following are the changes in the trojan:

• DNS changes are made to these hijacked domains.
• Additionally, the malware author has made code changes to Qakbot on March 15, 2019, by adding the comment string “CHANGES 15.03.19” within the malicious JavaScript downloader.
• A scheduled task is created to execute a batch file.
• The malware is obfuscated when it is downloaded and saved in two separate files ( (randalpha)_1.zzz and (randalpha)_2.zzz).
• The data in the two files are decrypted with the code contained in the JavaScript downloader and reassembled using the type command.

“This downloader always requests the URI "/datacollectionservice[.]php3." from these hijacked domains. The domains used by the downloader for this request are XOR encrypted at the beginning of the JavaScript. The response to this request is obfuscated data that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz,” researchers said in a blog.

Key takeaways

• The changes made to Qakbot makes it very difficult for antivirus software to detect the malware.
• Qakbot goes undetected when downloaded, as the malware is obfuscated when it is downloaded and saved in two separate files.