Fresh wave of mutating Qakbot malware brings down enterprise networks

The malware is able to lock out companies from accessing their networks as well as infecting neighboring systems.
Written by Charlie Osborne, Contributing Writer
(Image: File photo)

The Qakbot malware is making a comeback with a new campaign targeting enterprise players to disrupt operations and lock companies out of their own systems.

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a particular slant towards business users, is back with a new campaign -- and thanks to a re-write from the ground up, is even nastier than before.

Qakbot, also known as Bublik and Qbot, is a self-propagating kind of malware that has been circulating for years. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and harnessing control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and "easily thwart legacy endpoint [security] solutions" by the use of obfuscating code, as well as constantly-evolving file makeup and signatures.

Cylance says this "seemingly immortal malware" continues to be a thorn in the side of the enterprise due to feature enhancements, multiple obfuscation layers and server-side polymorphism, which allows the malware to mutate rapidly, circumventing signature-based antivirus systems while on the move.

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom, unlike ransomware.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

"Qakbot continues to be a significant threat due to its credential collection capabilities and polymorphic features," Cylance says. "Unhindered, this malware family can rapidly propagate through network shares and create an enterprise-wide incident."

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

"While it's unclear why so many systems have suddenly fallen victim to Qakbot, it's possible that updated exploit kits play a role," Cylance says. "After all, there is no shortage of new vulnerabilities and exploits for attackers to use to their advantage."

Read also: 386 WannaCry ransomware samples discovered in the wild

Earlier this month, Mac app developers warned that users who have recently downloaded the Handbrake video transcoder app may have been infected with Trojan malware after a download mirror was compromised by cyberattackers.

The reasons why you should hide your IP address

Editorial standards