06:02 PM

Emerging Qakbot Exploit Is Ruffling Some Feathers

Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say

It isn't particularly new, and it's not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.

In a blog posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.

Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.

"The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts," RSA says. "While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions."

How does Qakbot infect its prey? Researchers are not sure. RSA says it has not found HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms. "Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it would otherwise not target business accounts to begin with," the blog says.

Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan, RSA says. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks, the blog observes.

In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information, the researchers say. The targeted credentials are sent to the Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.

"The sheer volume and detail of information stolen by Qakbot is astounding," the blog says. "Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits."

The Qakbot Trojan's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system, the RSA researchers say. Qakbot infected more than 1,100 computers at NHS, and "while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers."

Qakbot features extensive lab-evasion procedures designed to ensure the Trojan does not run in a security company's research lab, according to RSA. "Unlike some other Trojans, which simply check whether they are being run on a virtual machine to determine whether to continue their self-installation, Qakbot's authors have taken pains to set up a series of seven tests in an attempt to ensure that their Trojan will not be reverse-engineered and scrutinized by security researchers."

If Qakbot recognizes that it is being run in a lab setting, then it reports the relevant IP address to the Trojan's drop zone, RSA says. "This kind of notification is likely performed to blacklist the IP address, so that the Trojan never again attempts to infect the same research lab," the blog says.

Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind, RSA says. "The Qakbot authors' proprietary archive format forces professional security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor," the blog says.

Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground," the RSA researchers say. "However, despite the Trojan's low prevalence in the wild, its unique functionalities all make Qakbot a highly targeted virtual burglar."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-19
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
PUBLISHED: 2018-07-19
redhat-certification does not properly sanitize paths in A remote attacker could use this flaw to overwrite any file, potentially gaining remote code execution.
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...