Seems like the end of this 2020 summer has been marked by a series of unwelcomed comebacks in threat landscape; first Emotet and now QakBot.
This banking trojan’s return to the scene with new tips and tricks up its sleeve to target government, military, and manufacturing sectors in the US and Europe, according to Check Point Research.
According to the analysis released last week, the latest wave of QakBot activity appears to be closely related to a the other very notorious return.
As Check Point revealed last week: “These days QakBot is much more dangerous than it was previously — it has an active malspam campaign which infects organizations, and it manages to use a ‘third-party’ infection infrastructure like Emotet’s to spread the threat even further”.
An old enemy
QakBot (also known as QuakBot, Qbot, or Pinkslipbot), was first spotted in 2008, but since then it has evolved from a “simple” info stealer to a “do it all – steal it all” trojan, adept in delivering other kinds of malware, including some new strains of ransomware.
Not only that, QakBot has evolved its capability to remotely connect to a target’s Windows system to carry out banking transactions from the victim’s IP address.
Crackers usually infect victims using the age old – but always profitable – phishing techniques to lure victims to websites that use exploits to inject QakBot via a dropper.
Last June, as spotted by F5 labs, the malware was equipped with detection and research-evasion techniques with the goal of evading forensic examination.
Then only two week ago, another researcher unpacked a QakBot sample that came with two new methods designed to bypass Content Disarm and Reconstruction (CDR) and Endpoint Detection and Response (EDR) systems.
The infection chain detailed by Check Point follows a similar pattern.
The infection Chain
It all begins with a specially crafted phishing email containing an attached ZIP file or a link to a ZIP file that includes a malicious Visual Basic Script (VBS).
In turn this then proceeds to download additional payloads responsible for maintaining a proper communication channel with an attacker-controlled server and executing the commands received.
As with Emotet, QakBot also leverages phishing attacks inserted with archived email threads between the two parties to lend an air of credibility.
The conversations are gathered beforehand using an email collector module – for now this seems to be working only with Outlook – and uploads them to a hardcoded remote server.
A raft of updates
The Trojan’s operators are not sitting idle either and they have released as many as 20 versions of the malware since the start of the year, with the last known version released on August 7.
That’s not all. QakBot is also equipped with a separate mechanism to recruit the compromised machines into a botnet by making use of a proxy module that allows the infected machine to be used as a control server.
The threat is real, as Check Point Research’s Yaniv Balmas said: “Our research shows how even older forms of malware can be updated with new features to make them a dangerous and persistent threat. The threat actors behind QakBot are investing heavily in its development to enable data theft on a massive scale from organizations and individuals.”
This combined with its relationship with Emoted promises a scary future for the development of this Trojan…