The technical details of QakBot, a decade-old banking Trojan, were uncovered in a detailed analytical report by a security firm. It has been active since 2007, and it has continued to claim victims while evolving at the same time.
Analysis of the attack chain
The trojan’s infection chain, normal functions, communication with C2, and other details are detailed in a technical analysis report issued by a security firm.
- QakBot is most known for sending spam to its victims. It just started including phishing emails with ZIP attachments last year (Office documents).
- The documents contain macros, and victims are prompted to open the attachment, which purports to contain vital information. Emails with links to online pages that disseminate malware-laced documents were found in certain cases.
- The malware is then delivered using a DLL binary loader, which communicates with the C2 server.
- Typically, QakBot’s malicious operations include gathering information about the compromised host, scheduling tasks, harvesting credentials, and registry manipulation, among other things.
Additional modules and statistics on QakBot-based attacks were also revealed in the paper.
Some more insights
- According to the research, the virus includes a list of 150 IP addresses in its loader code resource. These addresses are usually from infected systems that are used as proxies to send traffic to the main C2 or another proxy.
- Cookie Grabber, Hidden VNC, Email Collector, Hooking module, Pass Grabber module, Proxy module, and Web inject are among the additional modules used by the threat actors.
Key statistics
The same security firm detected 181,869 attempts to download or run QakBot in the first seven months of this year. This is a smaller number than the detection between January and July 2020.
- The number of targeted users has climbed by 65 percent year over year to 17,316.
For greater financial advantage, Qakbot has been stealing information and executing a variety of other disruptive duties. The danger appears to be here to stay. As a result, one must keep an eye on their activities and verify that the appropriate security measures are in place across all endpoints.
To read more, please check eScan Blog
