QakBot

Description

(IBM) Though well-known and familiar from previous online fraud attacks, QakBot continually evolves. This is the first time IBM X-Force has seen the malware cause AD lockouts in affected organizational networks.

Although part of QakBot is known to be a worm, it is a banking Trojan in every other sense. QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.

Names

Name
QakBot
QuakBot
QuackBot
Qbot
PinkSlip
Pinkslipbot
Oakboat

Category

Malware

Type

• Banking trojan
• Backdoor
• Credential stealer
• Tunneling
• Worm
• Botnet

Information

• https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/
• https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/
• https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/
• https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf
• https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html
• https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf
• https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html
• https://www.fortinet.com/blog/threat-research/deep-analysis-of-a-qbot-campaign-part-1
• https://www.fortinet.com/blog/threat-research/deep-analysis-qbot-campaign
• https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/
• https://www.bleepingcomputer.com/news/security/qbot-uses-windows-defender-antivirus-phishing-bait-to-infect-pcs/
• https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/
• https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
• https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/
• https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/
• https://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html
• https://securelist.com/qakbot-technical-analysis/103931/
• https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html
• https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
• https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html
• https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html
• https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
• https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
• https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails
• https://cofensestaging.wpengine.com/blog/qakbot-campaign-attempts-to-revive-old-emails
• https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/
• https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/
• https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques
• https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails
• https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
• https://blog.talosintelligence.com/2022/07/what-talos-incident-response-learned.html
• https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html
• https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
• https://asec.ahnlab.com/en/47785/
• https://asec.ahnlab.com/en/51282/
• https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/
• https://securelist.com/qbot-banker-business-correspondence/109535/
• https://blog.barracuda.com/2023/04/25/cybersecurity-threat-advisory—new-qbot-malware-delivering-campa/
• https://asec.ahnlab.com/en/52067/
• https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/
• https://blog.lumen.com/qakbot-retool-reinfect-recycle/
• https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis
• https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
• https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory
• https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a
• https://thehackernews.com/2023/12/qakbot-takedown-aftermath-mitigations.html
• https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/
• https://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352
• https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/
• https://securelist.com/cve-2024-30051/112618/

Mitre Attack

• https://attack.mitre.org/software/S0650/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:Qakbot

Other Information

Uuid

6bb64dfb-6ed0-4453-9cbc-618e6eb67d03

Last Card Change

2024-06-18