The malware trojan has been a threat for 15 years and will continue to evolve
Key findings:
- Qakbot originated in 2008 as a banking trojan designed to steal login credentials and carry out ACH, wire and credit card fraud.
- In recent years, Qakbot has become an initial access broker delivering Cobalt Strike and eventually resulting in malware infections, such as ransomware BlackBasta.
- Over the years, Qakbot's anti-analysis techniques have improved to bypass malware sandboxes, antivirus software and other security products.
- The malware is modular and can download plug-ins to add new functionality.
- The threat group behind Qakbot has now released five different versions of the malware, with the latest release in December 2023.
Amsterdam, 8 February 2024 - Zscaler, a leader in cloud security, has been investigating Qakbot for almost 15 years and is once again warning of this innovative malware trojan. Qakbot (also known as QBot or Pinkslipbot) is a malware trojan used to control one of the oldest and longest-running cybercrime enterprises. Qakbot evolved from a banking trojan to a malware implant that can be used for lateral movement and eventual implementation of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement officials, but only a few months later, in December 2023, the fifth (and newest) version of Qakbot was released. After 15 years of Qakbot, the conclusion is clear: the threat group behind Qakbot is resilient, persistent and innovative.
Qakbot's developments
Zscaler has been tracking Qakbot for almost fifteen years. The first examples of this malware trojan date back to 2008. At that time, Qakbot used a dropper with two embedded components in the source section that consisted of a malicious DLL and a tool to inject the DLL into running processes. The Qakbot DLL implemented a wide range of functions, including a SOCKS5 server, stealing passwords, collecting cookies and distributing via SMB. Qakbot was largely used for bank fraud until 2019. Since then, the threat actor has also deployed itself as an initial access broker for ransomware, including Conti, ProLock, Egregor, REvil, MegaCortex en BlackBasta.
Each version of Qakbot represents a snapshot in time and is indicative of the threat landscape during that period. Early versions included hard-coded command-and-control (C2) servers, for example. As time passed, law enforcement and malware researchers successfully worked with domain registrars to suspend malicious domains. In response, Qakbot added network encryption, among other things, and added a domain generation algorithm (DGA) to remove the C2 server's single point of failure. While a DGA addressed the single point of Failure problem, it also caused significant noise when querying a large number of domains. To fix this, Qakbot developers devised an entirely new multi-level architecture, where compromised systems acted as proxy servers that passed network traffic with other infected systems and the backend C2 infrastructure. This design update solved the single point of failure problem, reduced network traffic and effectively hid the subsequent C2 layers.
Conclusion
Qakbot is a sophisticated trojan that has evolved significantly over the past 15 years and remains remarkably persistent and resilient. Despite its significant disruption in August 2023, Qakbot remains active and has recently updated its codebase to support 64-bit versions of Windows, improved its encryption algorithms and added more obfuscation. This shows that Qakbot will remain a threat in the future. ThreatLabz continues to closely monitor Qakbot's developments.
Visit the website for a full technical analysis of Qakbot.
Read more from us: here.
