Following up from a Threat Spotlight highlighted in April 2016, it appears that attackers have continued to mutate Qakbot in order to infect new systems. This is the challenge with advanced malware – it continues to change to evade detection and response and even very minimal changes are usually enough to evade traditional antivirus (AV).
Qakbot has experienced both functional enhancements and multiple layers of obfuscation, coupled with server-side “polymorphism” (behavioral changes) just in the last month alone.
Here’s what our latest research turned up:
- Qakbot has adapted to target 64-bit systems across the globe
- The code has been re-written from the ground up in 2017
- More than 20% of the code is specifically designed for evasion and persistence
- The malware is directed at Trend Micro customers
- Qakbot decimates Windows Defender
Background and Timeline
Qakbot has been around for years and it’s similar to Rubber Ducky, Mimikatz, and Bash Bunny in that it can steal credentials and quickly spread through an enterprise over network shares. The malware’s core functionality hasn’t changed much over the years, and deep dives have been performed by various organizations during that time. But it keeps coming back.
Stolen credentials continue to be a huge deal for organizations across the globe. In fact, a majority of breaches are the result of compromised credentials (see: Bank of Bangladesh / SWIFT transfer).
How Is Qakbot Delivered? What Does It Do?
While it is initially delivered through phishing emails, Qakbot has the ability to replicate and travel laterally, like a worm. It’s a net-new take on an ongoing trend. Signature-based AV had alerts on Qakbot as far back as 2012:
- BKDR_QAKBOT.AF [TrendMicro]
- Win32/Qakbot [Computer Associates]
- W32/QakBot [Sophos]
- W32/Akbot [McAfee]
- Trojan-PSW.Win32.Qbot.mk [Kaspersky]
- W32.Qakbot [Symantec]
This post focused on the threat’s polymorphic feature, which allows it to maintain the same functionality across files that look very different. This causes huge problems for signature-based solutions, but our technology is in a unique position to see past these superficial differences.
Who Does Qakbot Affect?
Cylance’s Incident Response (IR) team has seen victims across multiple industries (manufacturing, law, payroll), so we don’t believe any industry is more of a target than others. This malware is usually the result of an opportunistic attack (e.g., a user browses to an infected website, which redirects them to an exploit kit that drops malware to disk).
The business impact of Qakbot comes from account and administrator lock-outs. This makes containment and eradication that much more difficult.
But this was underestimated – filed as a risk level “low” by the aforementioned AV vendors, Qakbot has flown under the radar for over five years, but now is creating true business disruption.
Threat intelligence lookups have come up empty. This means that AV and EDR tools are blind to this threat.
Does Cylance Protect Against Qakbot?
On the other hand, CylancePROTECT® has been instrumental and unique in its ability to stop Qakbot through detection and containment across the enterprise, facilitating eradication.
In the real world, reactive patching just doesn’t cut it for advanced worms like Qakbot – and, just last week, WannaCry.