Qakbot, the trojan known for stealing bank credentials, has started spreading ransomware payloads. The recent tactic is so confusing that network defenders are finding it hard to differentiate Qakbot and other attacks.
The Qakbot trojan
A recent analysis by Kaspersky disclosed statistics related to the detection of Qakbot, which suggests that the trojan’s infection rate increased by 65% between January and July in comparison to the same period during the last year.
- The main infection vectors for Qakbot include email attachments, embedded images, or links. Additionally, it uses VBA macros and legacy Excel 4.0 macros.
- It uses process injection to hide malicious processes, creates scheduled tasks for persistence, and manipulates the Windows registry.
- Upon execution, it uses numerous techniques for lateral movement, leverages Cobalt Strike, or delivers ransomware. In the past, the trojan has been observed delivering multiple ransomware such as MegaCortex, Egregor, ProLock, and the REvil.
A modular structure
Qakbot is using multiple modules to achieve different goals. These modules may be developed by the attackers themselves or they may have borrowed them from third-party repositories and adapted as per their requirements.
- It uses the Cookie Grabber module to collect cookies from web browsers, Hidden VNC to connect to the infected machine, and Email Collector to find Outlook on the infected machine.
- Additionally, it uses the Hooking module for web injections, the Passgrabber module to collect logins/passwords from different sources, and the Proxy module to find out available ports.
Conclusion
Qakbot has been active for over a decade and has been successful in stealing sensitive credentials from a large number of targets. Therefore, for better protection, experts recommend using anti-phishing protection and having strict settings to weed out malicious sites in the browser. Additionally, it is suggested to turn on the Windows Antimalware Scan Interface (AMSI) for runtime macro scanning.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_524859529.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7dfa_shutterstock_1544135483.jpg)
