Cylance vs. Qakbot Malware

Following up from a Threat Spotlight highlighted in April 2016, it appears that attackers have continued to mutate Qakbot in order to infect new systems. This is the challenge with advanced malware – it continues to change to evade detection and response and even very minimal changes are usually enough to evade traditional antivirus (AV).

Qakbot has experienced both functional enhancements and multiple layers of obfuscation, coupled with server-side “polymorphism” (behavioral changes) just in the last month alone.

Here’s what our latest research turned up:

  1. Qakbot has adapted to target 64-bit systems across the globe
  2. The code has been re-written from the ground up in 2017
  3. More than 20% of the code is specifically designed for evasion and persistence
  4. The malware is directed at Trend Micro customers
  5. Qakbot decimates Windows Defender

Background and Timeline

Qakbot has been around for years and it’s similar to Rubber Ducky, Mimikatz, and Bash Bunny in that it can steal credentials and quickly spread through an enterprise over network shares. The malware’s core functionality hasn’t changed much over the years, and deep dives have been performed by various organizations during that time. But it keeps coming back.

Stolen credentials continue to be a huge deal for organizations across the globe. In fact, a majority of breaches are the result of compromised credentials (see: Bank of Bangladesh / SWIFT transfer).

How Is Qakbot Delivered? What Does It Do?

While it is initially delivered through phishing emails, Qakbot has the ability to replicate and travel laterally, like a worm. It’s a net-new take on an ongoing trend. Signature-based AV had alerts on Qakbot as far back as 2012:

  • BKDR_QAKBOT.AF [TrendMicro]
  • Win32/Qakbot [Computer Associates]
  • W32/QakBot [Sophos]
  • W32/Akbot [McAfee]
  • Trojan-PSW.Win32.Qbot.mk [Kaspersky]
  • W32.Qakbot [Symantec]

This post focused on the threat’s polymorphic feature, which (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog