What is Qakbot? An Evolutionary Case Study

Exploring the origins and evolution of Qakbot, a notorious banking trojan, through a comprehensive case study analysis.

Exploring the origins and evolution of Qakbot, a notorious banking trojan, through a comprehensive case study analysis.

Wednesday, 5 June, 2024

Qakbot Evolution - Cyberware Hub
Qakbot Evolution - Cyberware Hub
Qakbot Evolution - Cyberware Hub

Qakbot, also known as QBot or Pinkslipbot, has been a prominent and persistent threat since 2008, aiming at businesses globally. Worldwide, QakBot has become one of the top most leading banking trojans. It's designed to steal financial data and login credentials from web browsers and spread itself to other systems within the network and even install ransomware to make more money from the compromised hosts.

Ransomware Groups: Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta

The malware utilizes a variety of exploitable windows file formats including Microsoft XLS, XLSB, XLTM, as well as .PDF, .HTML, .XHTML (eXtended HTML), .WSF (Windows Script File), .JS (Javascript), .VBS (Visual basic script), .PS (Powershell), .XLL (Excel add-in), .HTA (HTML Application), .XMLHTTP, ISO Disk Image and more.

How Qakbot Works?

Qakbot typically spreads through spam and phishing email campaigns, where users receive deceptive emails containing harmful links or various types of attachments that deliver the malware to their systems. Nonetheless, the malware can also be disseminated through alternative methods, like being distributed by Emotet. Furthermore, once Qbot infiltrates a network, it has the capability to propagate horizontally across the network, infecting more machines.

The Evolution of Qakbot:

Throughout the years, Qakbot's evasion techniques have evolved significantly. Whenever researchers found a way to bypass its techniques, the malware creators swiftly adapted and continued evading detection. Moreover, Qakbot's code consistently improved, acquiring new knowledge and becoming more challenging to identify. With each update, it got better at avoiding security systems, staying ahead in cybersecurity.

Typical QakBot functions:

Common functions of QakBot Malicious Operations Detected in the Wild:

  • Gathering data on the compromised host.

  • Establishing scheduled tasks for privilege escalation and persistence.

  • Harvesting credentials through Credential dumping, Extracting passwords from browser data and cookies and Targeting web banking links through web injects.

  • Conducting password brute forcing attacks.

  • Manipulating the registry for persistence.

  • Generating duplicates of itself.

  • Employing process injection to obscure the malicious process.

Happy Learning !!!