Qakbot: Analysing a Modern-Day Banking Trojan

Written by

In cybersecurity terms, the Trojan horse is nothing new. 

While the name derives from Greek mythology – the story of a wooden horse said to have helped the Greeks enter Troy and win the Trojan war – of course, it has a very different connotation in the digital sphere. 

Just as the Trojan horse appeared to be a legitimate gift hiding an inner threat, a Trojan virus looks legitimate but hides inner malware, typically as an attachment in an email or downloadable file.

Among the most common is the banking Trojan, with Qakbot a prime example. Also known as QBot or Pinkslipbot, it’s been around for 15 years, having been found in the wild in 2007.

Continually developed and evolved by threat actors, Qakbot continues to wreak havoc on organizations in many ways. While it’s mainly used to steal banking credentials, it has also been deployed to spy on financial operations and install ransomware. 

Attackers are Developing Evasive Techniques

At Menlo Labs, we observed threat actors using the Qakbot Trojan in several campaigns, each leveraging various Highly Evasive Adaptive Threat (HEAT) techniques.

HEAT attacks are becoming an increasingly common focus of threat actors. Analyzing more than half a million malicious URLs, the Labs team recently found that 69% of them leveraged HEAT tactics. 

HEAT attacks are a new class of attack methods built specifically to avoid detection from common layers in traditional security stacks. This includes everything from Secure Web Gateway (SWG) anti-virus engines and sandboxes to network and HTTP-level inspections, malicious link analysis, offline domain analysis and indicator of compromise (IOC) feeds.

With a complete understanding of these dated security solutions, how they work and their weaknesses, threat actors have developed several methods such as data obfuscation, HTML smuggling and Javascript obfuscation that are either individually or together capable of avoiding detection. 

Some of the HEAT techniques used in Qakbot campaigns include:

Excel 4.0 Macros

Menlo Labs saw one campaign sending emails with attachments using Excel 4.0 macros to deliver Qakbot. Those victims who opened the XLS document would be prompted to enable the macro to execute the Excel 4.0 macros. These commands would then present in the XLS file download and execute the payload from C2.

To protect against such threats, security teams must focus on prevention as much as detection and remediation in their strategies. One way is through isolation technology that can wrap any potentially malicious attachment to allow any document to be viewed safely while the inspection engines determine whether the file is good or bad.

Email Lure with Hyperlink

In a second campaign, a benign domain was compromised by attackers to host a malicious payload. The attackers would then send an email with a link to the payload, using password-protected ZIP files – a known HEAT technique – to evade existing defenses and deliver the Qakbot Trojan. Inside the ZIP file is a link file that can easily provide PowerShell commands or JS to execute. When opened, this link file downloads the JS file, and the JS file then downloads the Qakbot payload.

Such threats can be mitigated by ensuring that all documents and archives downloaded from the web may never reach the user’s endpoint device. Malware actors commonly password-protect malicious payloads to evade security defenses – by ensuring these remain isolated in a safe and separate cloud container, both before and after the password is entered, any malicious file won’t have the opportunity to execute. 

HTML Smuggling

In a third campaign, specially crafted HTML attachments and web pages were used to build malware directly on endpoint devices behind the firewall. The infection chain would begin with a potential victim opening an HTML email attachment, with the HTML file then constructing the payload through a decoding process. A password-protected ZIP file would then be created, which, upon extraction, would drop an ISO file (named ‘Report Jul 14 71645.iso’) onto the endpoint machine. Critically, this ISO file contains the Qakbot payload.

The goal of HTML Smuggling is to use HTML5/JavaScript features to deliver file downloads, typically via email attachments and web vectors. The important thing to understand is that a malicious payload that gets downloaded to the endpoint via HTML Smuggling evades all network inspection because the payload is constructed on the browser. So, you need a solution capable of detecting and blocking such attacks delivered via email attachments and web vectors and ensuring the various components don’t have an opportunity to reach endpoint devices.

Having a first layer of defense in place is critical. 

All too often, organizations focus on detection and remediation, yet threat actors are continually finding new ways to bypass such solutions and are marching forward with malicious activities undetected. To stop HEAT attacks and limit the effects of malware, security teams need to update their defenses, preventing threats from reaching the endpoint by embracing more effective solutions like isolation technology.

What’s hot on Infosecurity Magazine?