QakBot Reappears to Swipe Banking Login Credentials for Shrewd Hackers

Although one of QakBot's primary functions is exfiltrating banking credentials, the stolen data during some of the high-profile attacks it was responsible for shows that this particular malware family is a lot more than a simple financial Trojan. It did indeed cause quite a stir when it breached the system of a US unemployment agency back in 2011, and, after compromising a few other organizations over the following years, it suddenly vanished from the face of the earth. Some researchers thought that the world had finally rid itself of QakBot. They were wrong.

IBM's X-Force Research Team said last week that they've seen a new version of QakBot in action. As always, the Trojan is targeting business organizations, with most of the victims working in the financial, healthcare, and technology sectors. There are a few updates, and the researchers have also noticed a nasty side effect to the whole operation.

QakBot can arrive on a host computer either through an exploit kit or via malicious email attachments. Of course, first comes the dropper which doesn't act immediately. In an attempt to avoid sandboxes that could flag it as suspicious, it sits idle for between 10 and 15 minutes. After that, it spawns a new explorer.exe process and injects its DLL into it. By corrupting the original file, QakBot's dropper tries to thwart further analysis. Then, the newly launched explorer.exe process downloads the QakBot payload which comes in the form of a large amount of ASCII hex and is copied in several places across the system. Next, the Trojan sets about making itself persistent.

First, a registry run key is created which makes sure that every time Windows boots up, the malware is launched. For good measure, QakBot sets up not one, but two scheduled tasks with which it ensures that if someone stops it or deletes it, the binary will be re-downloaded and re-executed. With persistence dealt with, it's on to one of QakBot's signature features.

After establishing a connection with the Command and Control (C&C) server, the Trojan receives the "13" command which triggers its lateral movement mechanism. First, it tries to connect to the Domain Controller (the server that hosts a database containing all the accounts on a Windows network) and scrape the usernames associated with the rest of the endpoints. If it's successful, QakBot combines the usernames with some commonly used passwords and tries to breach neighboring computers. If it can't get the usernames from the Domain Controller, it simply tries to bruteforce its way in using a dictionary of login credentials hardcoded into the malware. This is where the nasty side effect we mentioned earlier comes in.

Too many unsuccessful login attempts could result in the Domain Controller locking the accounts and denying them access to the network resources. Effectively, work at the victim organization could grind to a halt which is what IBM's researchers observed while investigating a few recent QakBot attacks. This doesn't make the malware very stealthy, and its authors will likely put some effort into improving the worm functionality in the coming versions.

Regardless of how many PCs it infects on a network, QakBot will unleash its web injects which determine when the victim is visiting an online banking system and steal sensitive information. Unlike other threats of this type, QakBot downloads the injects from a website that is controlled by the hackers instead of extracting them from its own binary. Ultimately, the threat actors' goal is to gain access to the victims' bank accounts and drain them. As we mentioned already, however, this is far from QakBot's only purpose.

The Trojan comes with components that record keystrokes, steal cookies and credentials for POP3 and FTP services as well as usernames and passwords stored by the browser. QakBot can exfiltrate a host of other information about the system including user privilege, OS version, installed software, etc.

Despite being around for a whopping eight years now, QakBot is still an extremely serious piece of kit, and the current campaign shows that its authors have no intention of retiring it. If anything, it shows that they want to make it even better.