Microsoft: Help us kill off two banking trojans that learned from WannaCry

Microsoft warns that more and more businesses are being infected by consumer-focused banking trojans.
Written by Liam Tung, Contributing Writer on

Video: UK banks are TrickBot trojan's favourite new targets

Microsoft has appealed to enterprise customers to help stamp out the Qakbot and Emotet banking trojans, which have adopted techniques used by WannaCry to spread on corporate networks.

Banking trojans have for the most part been designed for stealth, helping operators steal credentials -- predominantly from consumers -- without setting off alarms that could lead to detection.

But cybercriminals behind banking trojans are testing techniques used by their noisy extortionist cousins in the ransomware industry.

In particular, Qakbot and Emotet have adopted the exploits that helped WannaCry and NotPetya ransomware rapidly spread inside networks using the file-sharing protocol Server Message Block (SMB).


Microsoft has set out the Qakbot and Emotet attack kill chain.

Image: Microsoft

Security researchers discovered in July that Emotet and another active banking trojan Trickbot had adopted the same spreading technique.

Microsoft warns that though Qakbot and Emotet have typically targeted consumers, it's seeing "more and more" enterprise and small and businesses becoming affected by "indiscriminate infections".

"Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack," Microsoft said.

Qakbot and Emotet can spread on a network by infecting all accessible network shares and drives, including USB drives, harvesting credentials to spread via default admin shares and shared folders, and guessing the passwords to Active Directory accounts.

"Qakbot and Emotet can also drop copies in other machines in the network using SMB and then use remote execution to activate," notes Microsoft.

Microsoft's telemetry data shows two significant peaks in Qakbot and Emotet encounters in mid-May and August, which together show a general upward trend.

The company has provided a list of actions customers can take to stop the malware spreading, such as disconnecting affected machines from the network and cutting off internet access until infected machine has been cleaned.

It's also provided links to its own security products that can help isolate and remove Qakbot, Emotet and other related malware.


Microsoft says Qakbot and Emotet monthly machine encounters are increasing.

Image: Microsoft

Previous and related coverage

Fresh wave of mutating Qakbot malware brings down enterprise networks

The malware is able to lock out companies from accessing their networks as well as infecting neighboring systems.

This sneaky malware will cause headaches even after it is deleted from your PC

The QakBot/Pinkslipbot banking trojan can still cause headaches even after it's been removed from your system.

Quick glossary: Malware[Tech Pro Research]

This list of 22 terms will help you grasp the vocabulary that describes malware and the technology that spawns it.

Read more about cybersecurity

Editorial standards