Malware is a valid, viable tool for attackers. There are the
usual variants that have been coded over time. As these are introduced over
time, the signature attack became known and the defensive systems know to look
for these. The attackers clearly are aware of this and code variants of this
malware to evade detection. One such example is Qakbot.
Origins
Qakbot is not a new malware example. This has been around
since 2007, making it an old veteran of the computer infection/malware game.
While this has been in the environment for such an extended period, it is still
a viable attack tool, especially with the nuance as of late.
Operations
This works via propagating with network shares. This was
designed to not only disable a node, but also an entire network. This works
with multiple components is endeavors. The early variants used the “.qbot”
string. This used a single layer of encryption when encrypting the machines.
As time passed, the later variants set the configuration
files to hidden. To yet further obscure the files, and folders, this also used
random names. To further complicate the host’s workflow, the configuration file’s
encryption was doubled.
With this iteration, to infect the client, the attacker may
lure the victim to a malicious site, which would host the exploit kit. They
also may simply email the special pdf to the victim. As the victim becomes
infected, the malware began to detect if the user was visiting a banking or
finance related website. Specifically, this malware was coded to detect
activity with JPMorgan Chase, Citibank, Citigroup, Huntington Bank, Bank of
America, Wells Fargo, 5/3 Bank, Key Bank, PNC Bank, and others.
This was also configured to harvest credentials from Windows
machines, Outlook, Windows Live Manager, RDP, and Gmail messenger. If this was
not enough, the malware also looked for Internet Explorer’s password manager.
Long-Lasting
Malware
In the cybersecurity field, not all malware has such a long,
viable life in actually being useful in attacks. With this iteration, there are
many components, with each of these functioning differently. A useful update is
when it detects being in a VM, the malware uninstalls itself. With this
function, it would be substantially difficult for the researcher to reverse
engineer the sample or monitor its acts, as it removes itself. The malware isn’t
static, offering a difficulty in placing a signature in the AV tools, as the
malware is updated as needed from the C&C center. To make itself even more
difficult in detecting, the updates are designed to mutate its appearance. At
one point in this cycle, 85% of the infected systems were in the US. The primary
successful targets were the academic, government, and healthcare industries.
This level of penetration was mostly due to its code allowing it to modify
itself.
Resources
Cluley, G. (2016, April 16). Mutating qbot worm infects over
54,000 PCs at organizations worldwide. Retrieved from
https://www.tripwire.com/state-of-security/featured/qbot-malware/
Dela Torre, J. (2011, September 1). Qakbot: A disaster waiting
to happen. Retrieved from https://www.virusbulletin.com/virusbulletin/011/09/qakbot-disaster-waiting-happen
Millman, R. (2019, May 3). Qakbot malware avoids discovery
by breaking itself in two. Retrieved from https://www.scmagazineuk.com/qakbot-malware-avoids-discovery-breaking-itself-two/article/153689
Trend Micro. (2011, January 12). QAKBOT: A prevalent
infostealing malware. Retrieved from https://www.trendmicro.com/vinfo/us/threat-encyclepedia/web-attack/80/qakbot-a-prevalent-infostealing-malware
