QakBot 2017 Variant Causes Massive Active Directories On PCs

QakBot 2017 Variant Causes Massive Active Directories On PCs
Rate this post

Qakbot (Qbot) firstly emerged in the year 2009 as a piece of computer malware programmed to steal online banking credentials from victimized computers. The program used classic key-logger technology combined with an ability to steal active session authentication tokens to piggyback on existing online banking sessions. Qakbot has evolved since that time, adding additional methods of persistence and targets. The team of security researchers has also encountered one of the more recent variants when asked to remediate a client’s infected network. QakBot 2017 Variant is notoriously banking trojan or a worm that is difficult to detect and remove due to its numerous integrated persistence methods and multilayer obfuscation techniques that make it difficult for malware researchers to access its core code. IBM security analyst, noticed that hundreds to thousands of Active Directory users were locked out of their organization’s domain, the incident is caused by the Qbot banking malware. The culprits behind this malware was designed to target businesses and steal money from bank accounts, it implements network wormable capabilities to self-replicate through shared drives and removable media.

QakBot 2017 Infecting More Systems

To infect more no of PC’s, the new variant QakBot 2017 spreading with the help of a dropper that waits about 15 minutes to execute explorer.exe. This is done to decrease the chance of detection from anti-virus engines. The dropper then opens an executable, injects a Dynamic Link Libraries (DLL) into that process, overwriting the original file. Finally, the dropper downloads QakBot. Later on, to access and infect other machines in the network, the malware uses the credentials of the affected user and a combination of the same user’s login and domain credentials, if they can be obtained from the domain controller (DC). QakBot may collect the user name of the infected PC and use it to attempt to log-in to other systems in the domain.” continues the analysis. If the malware fails to enumerate user names from the domain controller and the target machine, the malware will use a list of hard-coded user names instead. The malware gains on the target machine using a Registry key and scheduled tasks.

The dropper uses the ping.exe utility to invoke a ping command that will repeat six times in a loop. Once the pings are complete, the contents of the original QakBot dropper are overwritten by the legitimate Windows autoconv.exe command.

C:\Windows\System32\cmd.exe” /c ping.exe -n 6 & type

C:\Windows\System32\autoconv.exe” à “C:\Users\UserName\Desktop\7a172.exe

QakBot 2017 – A Banking Trojan

QakBot 2017 is financial threat known to target businesses to get their online banking accounts details. The malware features worm capabilities to self-replicate through shared drives and removable media. It uses powerful information stealing features to monitor on users’ banking activity and eventually defraud them of large sums of money. Expert also found that the malware uses man-in-the-browser (MitB) attacks to inject malicious code into online banking sessions, it fetches the scripts from the domain it controls.

QakBot 2017 also targeting Active Directory domains by performing three suspicious actions over target PC

  • it would perform automated logon attempts, some launched using accounts that do not exist.
  • lock out hundreds to thousands of accounts in quick succession; it would perform automated
  • it would deploy malicious executables to network shares and register them as a service.

Related Banking TrojansTelax Banking, Trojan.Mirai, Trojan.Agentemis!gen1

Prevention Measures Against QakBot 2017

QakBot 2017 is a Trojan malware that is capable of spy the browsing activities of the infected computer and logs all information related to finance-related websites. Since QakBot primarily targets businesses and banks, potential victims should use adaptive malware detection solutions with real-time capabilities. So it is necessary for computer user is awarness about cybersecurity. As experts PC users can protect themselves by following prevention measures like by practicing browsing hygiene, disabling online ads, filtering macro execution in files that come via email. However, prevention is the best way to ensure you are never infected with spyware and your data is never lost or stolen. It is possible to clean up an infected machine and remove spyware but sometimes the damage from certain spyware, such as Trojan cannot be fixed as files become stolen or otherwise corrupted.

Posted in Security Articles and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *