Qakbot: The Evil Duck Reappears
Qakbot malware also known as Qbot has remained a persistent and formidable adversary since mid-2000s, it emerged as a banking Trojan. It has evolved and adapted itself against cyber defences to remain in the list of top malwares over a decade.
The Genesis of Qakbot
First identified in 2008, Qakbot was designed to steal financial data and confidential information from compromised system. Earlier versions used key-logging and web traffic analysis to get hold of these sensitive data. It’s also known as Pinkslipbot. It is a second stage malware which requires an initial access technique like phishing as a first stage .
Infrastructure
Qakbot uses a layered infrastructure for its Command and Control servers. Threat actors typically host these servers through providers who lease them out; consequently, these providers generally avoid cooperating with law enforcement agencies to shut them down. The graph below depicts the malware’s C2 structure. Tier1 nodes represent a subset of infected systems chosen as supernodes to establish communication with victim computers. Supernodes had it’s presence in 63 countries. The intermediary nodes acts as proxies between the main C2 server and the infected machines to cover the tracks.
Evolutionary Phases
Over the years, the malware has undergone several evolutionary phases, showcasing its adaptability and resilience to security measures. It evolved from a basic banking Trojan to a multifunctional threat capable of employing various attack vectors, including exploit kits, phishing emails, and lateral movement within networks. One significant evolutionary leap involved the integration of worm-like capabilities, enabling Qakbot to propagate across networks swiftly. It utilized brute force techniques to spread laterally, infecting interconnected devices and networks, amplifying its impact and complicating mitigation efforts.
Ransomware Gangs using Qakbot
Various financially motivated ransomware groups are known to utilize Qakbot as an infection vector. These list includes Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal.
FBI-Led Law Agencies takes down Qakbot
In August 2023, FBI in collaboration with other Law enforcement agencies were able to take down the infrastructure of Qakbot and seize bitcoins worth about $8.6 million. The operation identified over 700,000 infected machines with the malware, of which 200,000 were in the US. Redirecting the malicious traffic to a controlled environment facilitated taking down the malware network, instructing the infected machines to download an uninstaller.
Qakbot Returns
About 3 months after the take down in December 2023, Microsoft Threat intelligence reported phishing campaigns connected to Qakbot. On it’s return the primary targets were hospitality sector. The phishing email was masquerading IRS as shown in the image below.
Qakbot Phishing Email (Microsoft)
Conclusion
Qakbot has been around for a long time and it’s roots are strong. Cyber criminals from Eastern European operates it. According to a report published by Checkpoint, Qakbot was the most prevalent malware in multiple regions globally.
Top Malware Groups (Checkpoint)
The Maware targeted multiple sectors.
Impacted Sectors (Checkpoint)
Although the infrastructure has been taken down, the individuals responsible for the malware and their connections continue to persist. They will learn their lessons and make a comeback. As cybercriminals grow stronger, the security solutions also advance. Therefore, prepare for such attacks by implementing and maintaining robust security measures.