Skip to main content
Qakbot Trojan

First seen in 2009, Qakbot is an advanced banking trojan used in attacks globally. Believed to be the first malware specifically designed to harvest business banking information, it continues to see extensive use in coordination with other well-known tools.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

First seen in 2009, Qakbot is an advanced banking trojan used in attacks globally. Believed to be the first malware specifically designed to harvest business banking information, it continues to see extensive use in coordination with other well-known tools.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Qakbot (also known as Ackbot, PinkSlip, or Qbot) is a sophisticated modular banking trojan targeting education, engineering, financial, healthcare, government, and manufacturing organisations worldwide, with a primary focus on Western Europe and North America

First observed in 2009, but believed to have been used in campaigns as far back as 2007, Qakbot has seen significant and continuous functionality improvements in the time since, and remains one of the most prevalent threats in the wild.

Shared Qbot naming

Please note that despite sharing the Qbot name with the BashLite botnet, there is no evidence to suggest Qakbot and Bashlite are related in anyway.

Delivery

Since it's creation, Qakbot has used a number of different delivery mechanisms including exploit kits, watering hole attacks, drive-by-downloads, and spam or phishing campaigns.

Since July 2020, Qakbot has been delivered as part of a larger campaign by the Emotet botnet. The variant used in this campaign is able to self-propagate using previously collected administration credentials, shared network drives, or removable media. This capability, along with Emotet's own considerable infection functionality, has resulted in a substantial spike in Qakbot infections globally.

Qakbot's infection chain begins with a preliminary JavaScript loader module which uses delayed execution to avoid analysis. The loader then connects to one of several hard-coded URLs to download an encrypted and heavily obfuscated Qakbot DLL payload, which it then decrypts and launches. If successful, the loader will corrupt itself using the ping.exe utility to prevent detection.


Activities

Once installed, Qakbot will perform several anti-analysis and security checks before loading a copy of itself into the %appdata% directory with a valid certificate. If successful, it attempts to create two scheduled tasks and edit several Registry key in order to maintain persistence.

Qakbot then spawns an explorer.exe process and injects itself into the process' memory, at which point it can be used to inject code into additional processes. A number of network test are then run and, if passed, a connection to a command and control server is initiated. Qakbot uses both a domain generation algorithm and a hardcoded list to identify active C2 domains.

Modules, both bespoke and open-source, are then passed from the C2 server for Qakbot to deploy on the target network. The Mimikatz password harvester is used to extract a wide variety of credentials, which can then be used to gather additional information or aid in propagation. Qakbot primarily gathers financial information using man-in-the-browser attacks against user banking sessions, using scripts downloads from the C2 server.

The latest variants of Qakbot will also perform several actions on the target's Active Directory domain, including:

  • rapidly locking multiple AD accounts
  • registering malicious EXE files (including itself) as services on network shares
  • launching automated logon attempts using non-existent accounts 

Threat updates

Date Update
15 Dec 2020 New stealthy persistence mechanism

A new Qakbot variant has been observed using a new persistence mechanism.

Previous versions of Qakbot would attempt to maintain persistence by editing the Run key when they were installed. However, this activity can often be detected and prevented  by security services.

This new version monitors for system shutdown or suspend commands and attempts to write itself to the Run key just before the system shuts down, when most other services (including security services) are already closed. When it detects a resume command it will delete it's Run key entry to avoid detection.

26 Nov 2020 Egregor partnership

Qakbot has now partnered with the operators of the Egregor ransomware-as-a-service tool. Several Egregor campaigns are now using Qakbot as a delivery and control module.


Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Last edited: 15 December 2020 2:14 pm