A widely used banking Trojan that has been wreaking havoc in the wild for over a decade has developed a new ability. Called Qakbot (or Qbot for short), the Trojan has been found to be using an updated persistence mechanism that can make it more difficult for users to detect and subsequently remove from infected systems, security researchers say.
On infected systems, Qakbot attempts to steal login credentials, with the ultimate goal of draining a victim's bank account. It does this by utilizing scheduled tasks to maintain persistence. However, those tasks have been updated to evade detection, making an already pesky piece of malware even more bothersome.
"These files are then decrypted and reassembled using the type command. Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot," the researchers explain.
The researchers say they noticed a spike in requests to hijacked domains on April 2, a date that roughly coincides with changes to Qakbot's command string—it's believed that the culprit(s) updated the code on March 15, and then launched a new attack campaign.
Using common sense computing and basic security practices can protect companies against this type of thing. And of course Cisco has a vested interest in bringing this stuff to attention, as the company points out that its Advanced Malware Protection (AMP), Cisco Cloud Web Security (CWS), and Web Security Appliance (WSA) solutions can all prevent this type of attack.