This Qakbot Password Stealing Malware Just Developed An Invisibility Cloak

A widely used banking Trojan that has been wreaking havoc in the wild for over a decade has developed a new ability. Called Qakbot (or Qbot for short), the Trojan has been found to be using an updated persistence mechanism that can make it more difficult for users to detect and subsequently remove from infected systems, security researchers say.

On infected systems, Qakbot attempts to steal login credentials, with the ultimate goal of draining a victim's bank account. It does this by utilizing scheduled tasks to maintain persistence. However, those tasks have been updated to evade detection, making an already pesky piece of malware even more bothersome.

"Victims of this malware are typically infected via a dropper. Once infected, a victim machine will create a scheduled task. This task will execute a JavaScript downloader that makes a request to one of several hijacked domains," researchers from Cisco's Talos Intelligence Group explain.

The domains that the downloader uses are XOR encrypted at the beginning of the JavaScript routine. Subsequently, the response to the request is obfuscated data that is split and saved into two separate files, which could allow the malware to go undetected.

"These files are then decrypted and reassembled using the type command. Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot," the researchers explain.

The researchers say they noticed a spike in requests to hijacked domains on April 2, a date that roughly coincides with changes to Qakbot's command string—it's believed that the culprit(s) updated the code on March 15, and then launched a new attack campaign.

Using common sense computing and basic security practices can protect companies against this type of thing. And of course Cisco has a vested interest in bringing this stuff to attention, as the company points out that its Advanced Malware Protection (AMP), Cisco Cloud Web Security (CWS), and Web Security Appliance (WSA) solutions can all prevent this type of attack.