skip to Main Content

Qakbot (aka Qbot) malware is evolving with new obfuscation techniques

Cisco Talos: Qakbot (aka Qbot) malware is evolving with new obfuscation techniques, that make it harder for users to detect and remove it

Qakbot malware (aka Qbot) is evolving. It has been discovered by Cisco Talos cyber security experts. The banking trojan, that has been around since 2008, is utilizing an updated persistence mechanism that can make it harder for users to detect and remove it. According to the company’s blog, the malicious code is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence and potentially evade detection. Victims are typically infected via a dropper. Once infected, a victim machine will create a scheduled task. This will execute a JavaScript downloader that makes a request to one of several hijacked domains. The researchers first observed a spike in requests on April 2, 2019. This coincides with DNS changes made to these domains on March 19, 2019. 

The cyber security experts: The banking trojan could has been updated in coincidence with the launch of a new malicious campaign

According to the cyber security experts, additionally, the comment string “CHANGES 15.03.19” is contained within the malicious JavaScript downloader, suggesting this actor updated the code on March 15. This indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new campaign. The downloader always requests the URI “/datacollectionservice[.]php3.” from these hijacked domains. The domains used are XOR encrypted at the beginning of the JavaScript. The response is obfuscated data that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz. The first 1,000 bytes of data are saved to the first file, while the remainder to the second (data is decrypted with code contained in JavaScript downloader). Additionally, a scheduled task is created to execute a batch file. This serves to reassemble Qakbot executable from the two files. Those are then deleted, while the functionality of the malware remains the same.

Back To Top