QakBot trojan triggers Active Directory lockouts while seeking to drain bank accounts

Oh, and it boasts worm-like capabilities that facilitate self-replication…

QakBot trojan triggers Active Directory lockouts while seeking to drain bank accounts

A banking trojan known as QakBot is capable of triggering Active Directory lockouts while seeking to drain corporate bank accounts.

Like most other malware in the wild, QakBot (also known as PinkSlip) relies on exploit kits and spam campaigns to target unsuspecting webmail users. A successful attack activates a JavaScript dropper, which delays its execution on the off chance it's landed in a sandbox environment. After as many as 15 minutes has passed, the dropper opens an explorer.exe and loads up DLLs for the malware.

Once the banking trojan gets onto an infected machine, it tries everything in its might to not let go. As Michael Oppenheim, Kevin Zuk, Matan Meir, and Limor Kessem of IBM X-Force explain:

"Overall, QakBot’s detection circumvention mechanisms are less common than those used by other malware of its class. Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognizable."

It then leverages the infected user's login and domain credentials (if obtained from the domain controller) in an attempt to infect other machines on the same network. To boost its success rate, QakBot comes with hardcoded passwords for dictionary-style attacks, including those where the username and password are the same or are mirror images of one another. Of course, these efforts can cause multiple failed logon attempts, which together can succeed in locking out a user.

7

Accounts lockouts logged. (Source: IBM X-Force)

For each machine it infects, the malware implements man-in-the-browser (MitB) functionality to inject malicious code into online banking sessions. These web injections help the malware steal keystrokes, cached credentials, digital certificates, as well as other types of information that it needs to gain control over a business's bank account. Attackers can then drain those accounts and harvest financial information to conduct additional attacks.

QakBot is known to primarily target treasury services. But that's every changing, as Oppenheim and his colleagues point out:

"According to X-Force researchers, QakBot’s operators have been upgrading the malware’s code, persistence mechanisms, anti-AV and anti-research capabilities. As the malware evolves, it has also been known to target organizations in the health care and education sectors."

10

Current QakBot configuration by target type. (Source: IBM X-Force)

To protect against QakBot, organizations should conduct security awareness training with their employees to avoid suspicious links and email attachments, keep machines' software up-to-date, and prevent unnecessary inter-workstation communication.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

One Response

  1. Mark Jacobs

    June 6, 2017 at 11:43 am #

    Can you please explain to me how a "JavaScript dropper" can run executables on the PC the browser is running on? Surely, the user must OK something to allow an executable to run from a browser session. Surely! And that means you won't get infected if you don't run it! Geez!

Leave a Reply