Qakbot (also known as Quakbot or Qbot) is a malware strain that has been used to attack financial institutions since 2008. It’s primary target is stealing bank credentials in order to enable wire fraud. Don’t let its age fool you though, it is still a favorite of the bad guys and seen plenty in 2020. Also, it has been successful in gathering multi-factor authentication (MFA) codes and its presence has also been identified as a precursor to ransomware.
This malware has been linked to the recent arrests and raids in Ukraine, including a software package called U-Admin, which can be seen demonstrating the theft of passwords and MFA codes in a video on Brian Kreb’s security blog: https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-kit/.
Here’s how Qakbot can get into a victim computer in five steps, resulting in command and control:
- A phishing email is sent with a zipped attachment, which when clicked, runs code (typically visual basic) in the background setting up the scene for the payload.
- A series of commands execute resulting in the download of Qakbot malware. These commands include the use of PowerShell scripts and executable files (.exe).
- Qakbot then embeds itself into several processes including booting, startup and scheduled tasks. It then phones home with the antivirus product, operating system version (i.e. Windows 10) and other system and usage information for the bad guys to use in the attack.
- To gain a better foothold in the network, it brute forces access to network shares and Active Directory users via server message block (SMB) exploitation.
- Finally, communication to and from the victim machine is bundled with legitimate web traffic, which mimics normal, expected traffic.
Of course, we won’t leave you without some steps to consider in preventing a Quakbot or similar malware infection:
- Disable SMB or use SMB whitelisting to limit use to authorized users.
- Use behavior based antivirus protection.
- Quarantine email messages with executables or other script types, i.e. PowerShell. Also, consider enabling DMARC to prevent messages from malicious sites from making it to users.
- Practice least privileged access for all access including Active Directory accounts and web filters.
- Train users to properly identify and respond to phishing attempts and malware incidents. The largest step a user can take in a suspected malware infection is to remove the computer from all internet connections, for example, unplugging the ethernet cord and disabling wifi connectivity.
Guidance on Obsolete Encryption Protocols
SolarWinds: 5 Points to Communicate to Your Board
Mitigating Supply Chain Attacks
SolarWinds: What do we know so far?
Information Security Strategy: 5 Tips for Success
The Virtual CISO Whitepaper