This password-stealing malware just evolved a new tactic to remain hidden

Windows malware campaign re-emerges with new techniques for attempting to stay under the radar.
Written by Danny Palmer, Senior Writer

A well-known form of malware which has been stealing login credentials and finances from enterprises for over a decade has once again been updated with new tricks to make it more effective at avoiding detection.

Qakbot - also known as Qbot -  has been afflicting businesses since 2008, using worm-like capabilities to spread. The information-stealing trojan malware targets Microsoft Windows systems in an effort to create backdoors and make off with the usernames and passwords which can provide access to financial data.

Now Qakbot has been updated with a new persistence mechanism which makes it harder for victims to detect and remove the malware. The new obfuscation technique has been detailed by cybersecurity researchers at Cisco Talos.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Victims of the malware are usually infected via a dropper which, when successfully installed, will create a scheduled task on the infected machine that instructs it to execute a JavaScript downloader from one of a number of attacker-controlled malicious domains.

These saw a spike in requests during April which appear to coincide with a new Qakbot campaign and a change in the persistence mechanism.

The new downloader always requests resources from the same Uniform Resource Identifier on the hijacked domains which are XOR encrypted in order to help obfuscate the malicious data contained in a JavaScript downloader and allow the malware to go about its tasks.

This is also helped along by the malware now being divided into two separate files which are only reassembled to deploy Qakbot when the dropped executable is run – making it more difficult for anti-virus software to detect.

"Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it," said Ashlee Benge, security researcher at Cisco Talos.

Once deployed on an infected system, the trojan malware will work in the background to steal the relevant data for the goals of the attackers. Researchers have posted a full list of Qakbot's malicious domains as part of the malware analysis, along with hashes and indicators of compromise.

But the best form of defence against Qakbot is to stop it being deployed onto the machine in the first place, because even when the malware is removed, it can still cause ongoing issues.


Editorial standards