What is Qakbot?

Qakbot is a banking trojan that has been active for over a decade. Its significance in cybersecurity lies in its multifaceted capabilities, which include stealing sensitive financial information, propagating through networks, and acting as a delivery mechanism for other malware. Qakbot has evolved over time, making it a persistent and versatile threat.

Yes, Qakbot is often referred to as Qbot, or Pinkslipbot, in the cybersecurity community.

Qakbot’s capabilities include:

Information theft: It steals sensitive financial information, such as login credentials, banking details, and personal data.

Network propagation: Qakbot can spread laterally within a network, infecting multiple machines.

Payload delivery: It serves as a delivery mechanism for other malware, including ransomware.

Keylogging: Qakbot records keystrokes to capture login credentials.

Email credential theft: It can harvest email credentials to facilitate further attacks, such as spam campaigns.

Qakbot primarily spreads through malicious email attachments or links. Once executed on a victim’s system, it establishes persistence, injects itself into system processes, and starts its malicious activities. It spreads laterally through network shares and removable drives, leveraging known vulnerabilities and weak passwords for propagation.

While Qakbot is primarily a banking trojan, it has been used as a delivery mechanism for ransomware payloads in some instances. Ransomware groups like Conti, REvil and Prolocked have used the Qakbot malware to gain access to compromised systems and deliver their ransomware.

‍

Qakbot’s impact on infected systems can be severe. It can lead to financial losses due to stolen banking information, as well as data breaches. Additionally, the lateral movement and payload delivery capabilities of Qakbot can result in further malware infections and system compromise.

Darktrace has detected multiple instances of Qakbot infections with visibility into how the malware operates.

In general, indicators of a Qakbot infection may include unusual lateral movement activity, brute force attempts or unauthorized access of accounts, and anomalous connections to rare external destinations.

The tactics, techniques, and procedures (TTPs) and IP addresses that have been observed in association with Qakbot infections can also be found here.

Qakbot is considered sophisticated due to its multi-functionality and ability to adapt to evolving security measures. While it may not have garnered as much attention as some ransomware strains, its ability to steal sensitive information and serve as a delivery mechanism for other malware makes it a significant threat.

To protect against Qakbot and similar threats, organizations can:

• Implement robust email security solutions to filter out malicious attachments and links.
• Conduct regular security awareness training for employees to recognize phishing attempts.
• Keep software and systems up to date with security patches.
• Enforce strong password policies and use multi-factor authentication (MFA)
• Employ network segmentation to limit lateral movement.
• Use of endpoint security solutions to detect potential threats.

Security solutions or tools that can help detect, prevent, or mitigate Qakbot infections effectively include:

• Email security gateways with anti-phishing capabilities.
• Threat Intelligence feeds that can provide information on the evolving malware.
• Endpoint security solutions with behavior-based detection.
• Network Intrusion Detection and Prevention Systems (IDS/IPS).

Darktrace/Email can defend against phishing attacks while Darktrace DETECT’s anomaly-based detection can identify unusual network activities such as lateral movement.