Qakbot, also known as Qbot, is a network worm targeting banking credentials. It propagates by copying itself to network drives and infecting removable drives.
First seen in 2009, researchers at Cylance most recently found thousands of infections by the malware. They believe this sharp increase in infections could be linked to exploit kits like RIG EK.
Upon infection with Qbot, computers will download a file from a speed test website, determining the amount of bandwidth available to it.
It will contact the C&C server and enumerate the installed software on the device, including the IP address of the infected network and whether the infected user has admin credentials.
To spread to password protected drives, Qbot will initially attempt brute force using a short list of common passwords. If that fails, the malware will try to access cached passwords in Window's Credential Store and Internet Explorer's Password Manager.
In order to avoid antivirus detection, it's continuously recompiled after injecting random data into the binary template. This will create a "new" copy of the malware, hashed to different values.
Specifically, this shows that just using hashes to prevent malware infection does not work. Cyber criminals continuously find different ways to evade anti-malware programs.
The latest version of the malware aims to avoid sandbox-based detection by waiting 10 to 15 minutes before executing. This update has been seen locking victims out of Active Directory accounts after repeated brute force attempts. Too many failed authentications leave employees unable to access their computers and company servers.
The latest campaign is primarily focused on banking industries in the United States, but has also been seen targeting pharmaceutical businesses and companies in the technology sector.
To add protection against Qbot we recommend enabling the following targets:
If you do not have a ThreatSTOP account,
If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or, contact our