Qakbot (aka QBot or Pinkslipbot) is a Trojan with a 15-year evolutionary history. From its origins as a banking Trojan, it continued to evolve into malware, which is now used for lateral distribution in a network and the deployment of ransomware.
After being broken up by law enforcement authorities in August 2023, the 5th version of Qakbot was released a few months later. Zscaler analyzed the transformation of a resilient, persistent and innovative malware. Recently, the security researchers discovered that the threat actors have updated their code base to support 64-bit versions of Windows. They have also improved the encryption algorithms and added more obfuscation techniques.
The story of the Qakbot Trojan
The malware was originally developed in 2008 as a banking Trojan to steal credentials and carry out ACH (automated clearing house), wire transfer and credit card fraud. The early versions of Qakbot included a date stamp and no version number, but are referred to as 1.0.0 in the graphic for clarity. Initially, the malware was deployed as a dropper with two embedded components in the resource part, which consisted of a malicious DLL and a tool used to inject the DLL into running processes. The range of functions was already extensive at the beginning with a SOCKS5 server, functions for password theft or for the web browser to collect cookies.
This early version was expanded and version 2011 was introduced in 2.0.0. Milestones in the development of the range of functions followed and in 2019 the switch from bank fraud to access broker began, which spread ransomware such as Conti, ProLock, Egregor, REvil, MegaCortex and BlackBasta. Over the years, Qakbot's anti-analysis techniques have been improved to bypass malware sandboxes, antivirus software, and other security products. Today, the malware is modular and can download plugins to dynamically add new features.
Each version number highlighted the dominant threat techniques of the respective period. Early versions were accompanied by hard-coded command and control servers, which were replaced with further development of detection techniques and the decommissioning of domain names containing malicious code. In response, network encryption and a domain generation algorithm (DGA) were introduced. However, with requests from a range of domains came a certain noise floor and the Qakbot developers moved to a new multi-tiered architecture that used compromised systems as proxy servers to route traffic between other infected systems. Such a design update addressed the single point of failure problem, reduced data traffic, and helped hide the C2 servers.
Qakbot 5.0
Version 5.0 has now made perhaps the most important change to the algorithm for encoding strings. The strings are still encrypted with a simple XOR key. However, the XOR key is no longer hard-coded in the data area. Instead, it is encrypted using AES, where the AES key is derived from a SHA256 hash of a buffer. A second buffer contains the AES initialization vector (IV) as the first 16 bytes, followed by the AES encrypted XOR key. Once the XOR key is decrypted, the block of encrypted strings can be decrypted.
The highly developed Trojan has changed significantly within 15 years to become a very resilient and persistent threat. Despite the disruption in 2023, the malware group remains active and will continue to exploit its threat potential in the foreseeable future. Zscaler's multi-layered cloud security platform recognizes the payloads and categorizes them under the name Win32.Banker.Qakbot.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.
Matching articles on the topic