Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first emerged in mid-December and show that the Qakbot malware has continued to evolve despite law enforcement's successful dismantling of the botnet infrastructure last August.
The attackers use even better methods to cover their tracks. The cases analyzed by Sophos X-Ops show that cybercriminals made concerted efforts to strengthen the malware's encryption. This has made it more difficult for defenders to analyze the malicious code. Additionally, attackers now encrypt all communications between the malware and the control server using a stronger method than in previous versions. The malware also reintroduced a previously removed feature that prevents it from running in a virtual environment or sandbox.
Creator of Qakbot still active
Only if the creators of the bot are prosecuted could Quakbot end. “Dismantling the Qakbot botnet infrastructure was a victory, but the bot's creators remain active,” said Andrew Brandt, Principal Researcher at Sophos X-Ops, commenting on the recent Qakbot incidents. “Cybercriminals who have access to the original Qakbot source code are experimenting with new variants and testing them in real-world use.
One of the most notable changes concerns the encryption algorithm the bot uses to hide hard-coded default configurations. This makes it even more difficult for analysts to see how the malware works. The attackers are also restoring previously deprecated features such as virtual machine (VM) detection and testing them in these new versions. It is very likely that development of Qakbot will continue until its creators are prosecuted. The good news is that these new Qakbot variants with previously created signatures can be easily detected by endpoint detection software.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.
Matching articles on the topic