Emerging Qakbot Exploit Is Ruffling Some Feathers

  /     /     /  
Publicated : 22/11/2024   Category : security


Emerging Qakbot Exploit Is Ruffling Some Feathers


Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say



It isnt particularly new, and its not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.
In a
blog
posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.
Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.
The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts, RSA says. While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict preference by design, and with no exceptions.
How does Qakbot infect its prey? Researchers are not sure. RSA says it has not found HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms. Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it would otherwise not target business accounts to begin with, the blog says.
Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan, RSA says. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks, the blog observes.
In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information, the researchers say. The targeted credentials are sent to the Qakbots drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.
The sheer volume and detail of information stolen by Qakbot is astounding, the blog says. Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbots authors to research future possible exploits.
The Qakbot Trojans most famous victim to date is the National Health Service (NHS), the U.K.s publicly funded healthcare system, the RSA researchers say. Qakbot infected more than 1,100 computers at NHS, and while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers.
Qakbot features extensive lab-evasion procedures designed to ensure the Trojan does not run in a security companys research lab, according to RSA. Unlike some other Trojans, which simply check whether they are being run on a virtual machine to determine whether to continue their self-installation, Qakbots authors have taken pains to set up a series of seven tests in an attempt to ensure that their Trojan will not be reverse-engineered and scrutinized by security researchers.
If Qakbot recognizes that it is being run in a lab setting, then it reports the relevant IP address to the Trojans drop zone, RSA says. This kind of notification is likely performed to blacklist the IP address, so that the Trojan never again attempts to infect the same research lab, the blog says.
Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind, RSA says. The Qakbot authors proprietary archive format forces professional security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor, the blog says.
Unlike some other Trojans, Qakbots distribution is quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground, the RSA researchers say. However, despite the Trojans low prevalence in the wild, its unique functionalities all make Qakbot a highly targeted virtual burglar.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Emerging Qakbot Exploit Is Ruffling Some Feathers