Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Emerging Qakbot Exploit Is Ruffling Some Feathers

Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say

It isn't particularly new, and it's not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.

In a blog posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.

Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.

"The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts," RSA says. "While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions."

How does Qakbot infect its prey? Researchers are not sure. RSA says it has not found HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms. "Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it would otherwise not target business accounts to begin with," the blog says.

Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan, RSA says. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks, the blog observes.

In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information, the researchers say. The targeted credentials are sent to the Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.

"The sheer volume and detail of information stolen by Qakbot is astounding," the blog says. "Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits."

The Qakbot Trojan's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system, the RSA researchers say. Qakbot infected more than 1,100 computers at NHS, and "while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers."

Qakbot features extensive lab-evasion procedures designed to ensure the Trojan does not run in a security company's research lab, according to RSA. "Unlike some other Trojans, which simply check whether they are being run on a virtual machine to determine whether to continue their self-installation, Qakbot's authors have taken pains to set up a series of seven tests in an attempt to ensure that their Trojan will not be reverse-engineered and scrutinized by security researchers."

If Qakbot recognizes that it is being run in a lab setting, then it reports the relevant IP address to the Trojan's drop zone, RSA says. "This kind of notification is likely performed to blacklist the IP address, so that the Trojan never again attempts to infect the same research lab," the blog says.

Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind, RSA says. "The Qakbot authors' proprietary archive format forces professional security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor," the blog says.

Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground," the RSA researchers say. "However, despite the Trojan's low prevalence in the wild, its unique functionalities all make Qakbot a highly targeted virtual burglar."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
IBM Sterling File Gateway through is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.