2023 appeared to be a pivotal year for combating malware. Despite the alarming 95% year-over-year expansion in ransomware attacks, a major player in malware was disrupted by law enforcement. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) joined forces with international agencies in August to collapse the network of Qakbot, an infamous botnet known for spreading ransomware and evading detection.
However, this reprieve lasted only a few months until it reappeared in a new form, exploiting PDF and Excel files.
This article will dive deep into Qakbot, exploring its destruction and resurgence while providing actionable insight into how to prevent it from disrupting your business in the future.
Qakbot is a sophisticated version of malware that has been around for over a decade. It has been distributed under several names, such as Qbot or Pinkslipbot. Having started as a banking trojan, Qakbot has evolved into a complex and versatile malware multi-tool. Its modular design allows malware to carry a variety of payloads, but its core functionality uses keylogging and web injections to steal financial data and personal credentials.
As a threat, Qakbot goes beyond data theft, self-propagating across networks, and leveraging complex attack techniques, including vulnerability exploitation and brute-forcing passwords. Compounding this threat is Qakbot’s capacity to serve as a delivery mechanism for other malicious payloads, including ransomware. Part of what makes Qakbot notorious is its persistence. It uses advanced evasion tactics to avoid detection by security software, constantly updating and adapting to countermeasures.
Qakbot Almost Falls
Qakbot was first identified in 2008 as purely a banking trojan. In these early years, it infiltrated banking systems and siphoned off financial data and personal credentials. Over the following 12 years, Qakbot’s designers added additional features and functions, slowly evolving it to deliver different payloads such as ransomware and other malware. This evolution allowed it to grow beyond a singular focus on financial data into a multi-functional tool, making it useful in a wide range of cybercrime.
The evolution of Qakbot culminated in the release of a new version in 2020. This update was widely adopted by cybercriminals, resulting in a 465% spike in cyberattacks involving it and necessitating CISA and the FBI to respond to the heightened threat. Each issued multiple warnings and advisories, providing essential mitigation strategies and indicators of compromise to help organizations defend against Qakbot’s tactics.
While on the surface, it appeared that CISA and the FBI were only monitoring Qakbot, more extensive actions were being taken. It started with them issuing a joint advisory on August 25, 2023, focusing on identifying and disrupting Qakbot’s infrastructure. This was followed by a coordinated multinational operation on August 29, 2023, led by the FBI and international partners, successfully disrupting the Qakbot infrastructure. They severed the connection between the botnet’s command and control servers and 700,000 infected computers globally, 200,000 of which were in the U.S. To prevent a new botnet from being created, the FBI redirected Qakbot traffic to servers under their control, which auto-deployed an uninstaller to remove the malware from infected systems.
While this effort to disrupt Qakbot appeared to be the end, the cybercriminals behind Qakbot were not captured as part of the operation, allowing them to come back with a new version.
Qak Comes Back
Despite the network disruption caused by the FBI and CISA, Qakbot has been rediscovered now weaponizing PDF files and Microsoft Excel through Google Chrome. While each uses a different methodology for launching Qakbot, the Excel and PDF attacks share a common theme: the Qakbot software is being embedded within seemingly safe files. Because users identify these files as safe, they rarely take additional precautions when opening them, which, unfortunately, is exactly what causes the attack to execute. Once the file is open, the hidden payload launches its specific exploit, causing Qakbot to be quietly installed, starting a multi-step attack that silently propagates the malware to other visible systems.
How Qakbot Infections Work
Part of the danger of Qakbot was its versatility in being more than another generic malware. It operates using a variety of tactics and techniques to integrate additional payloads and evade detection.
Its operation can be broken down into several key aspects:
- Initial Infection: Qakbot typically infiltrates systems through phishing emails containing malicious attachments or links. The malware will be installed on their computer once users click these attachments or links.
- Malware Installation and Persistence: Qakbot established persistence on the infected system upon installation, creating registry entries or using scheduled tasks, ensuring it remained active even after rebooting the system.
- Modular Malware: Qakbot was modular, meaning it had different components that could be used for various malicious activities. This modularity allowed it to adapt and update its capabilities easily.
- Banking Trojan Capabilities: Originally, Qakbot functioned primarily as a banking trojan. It captured banking credentials and other sensitive financial information through keylogging or web injection techniques when victims accessed online banking.
- Data Exfiltration: Qakbot could exfiltrate a wide range of data from infected systems. This included personal and financial information, system information, and login credentials.
- Lateral Movement: One of Qakbot’s most dangerous features was its ability to move laterally across networks, exploit vulnerabilities, guess or crack passwords, and use legitimate network administration tools to spread to other machines within a network. Once it made it inside a network, it could rapidly propagate through the often less secure internal network with little resistance.
- Delivery of Additional Malware: Part of the Qakbot modularity allowed it to serve as a delivery vehicle for other types of malware, including ransomware. It downloads and installs additional malicious payloads after establishing control over a system or network.
- Command and Control (C2) Communication: Attackers managed Qakbot through regular communication with a command and control server, executing instructions and launching updates. This communication was encrypted to avoid detection, allowing it to hide in the middle of regular network traffic.
- Evasion Techniques: One of the reasons for Qakbot’s longevity was its ability to avoid detection by antivirus (AV) and other security software by hiding files and processes and files. It then goes further by assessing the environment before execution to detect virtual machines or sandboxes used by security researchers to isolate and detect malware activity.
- Self-Updating: Qakbot was known for its ability to update itself to evade detection and improve its capabilities. This made it a continually evolving threat.
Preventing Future Qakbot Threats
With the potential for future Qakbot variations, organizations must recognize that the malware threat is never entirely eliminated. If it isn’t a new version of Qakbot, a different malware strain will eventually come around, which may be even more dangerous with AI (artificial intelligence) driving new malware permutations. Cybercriminals can use AI tools to build on existing malware, such as Qakbot, making additional functionality and evasion with minimal effort.
Preparing for these threats requires more than just traditional antivirus. While AV is effective for catching most known malware strains, it is less effective for identifying new variations of existing malware or previously unseen zero-day threats. Malware signature files will eventually see them, but it takes time for the new strains to be identified and registered, creating a window of opportunity for attack.
Organizations should add a CDR (content disarm and reconstruction) to augment AV to eliminate even zero-day threats. CDR does not detect threats but instead sanitizes files by deconstructing them and rebuilding them from only known-safe components. Any additional code, such as malware, is automatically eliminated in this process without any user intervention.
Preparing for New Threats with Votiro
Votiro stands as a leader in cyber defense, blending the strengths of AV and CDR technologies to offer superior protection against concealed threats in seemingly harmless content. By integrating the immediate detection capabilities of AV with the thorough retrospective analysis of CDR, Votiro delivers a comprehensive security solution. This combined approach ensures swift identification and neutralization of known threats while maintaining a detailed record of threats mitigated by CDR.
Votiro goes beyond standard cybersecurity measures by providing a solution that easily integrates with existing systems, focusing on API-driven technology to ensure that the protection is immediate but also powerful and straightforward to implement. The installation process is quick and efficient: their Software as a Service (SaaS) setup can be completed in 10 minutes, and on-premises installations take only 90 minutes. This swift deployment minimizes disruption to organizational operations, quickly establishing robust defenses against cyber threats.
Contact us today to learn how Votiro raises the bar in stopping new and existing hidden threats in files, allowing your employees and systems to remain secure while maintaining productivity.
And if you’re ready to try Votiro, start today with a free 30-day trial.