Cylance researchers spotted enhancements on the Qakbot malware that let it infect new systems and lock out administrators.
The malware has flown under the radar for nearly five years and can quickly spread through an enterprise over shared networks in order to steal credentials and has targeted multiple industries ranging from manufacturing, law, and payroll.
In the last month alone, the upgrades included both functional enhancements and multiple layers of obfuscation coupled with server-side “polymorphism” or behavior changes, according to a May 23 blog post.
Researchers said the malware has adapted to target 64-bit systems across the globe, its code was re-written from the ground up earlier this year with more than 20 percent of the code being specifically been designed for evasion and persistence.
The malware has been directed at Trend Micro customers and it decimates Windows Defender.
“Malware continues to evolve as there is no shortage of vulnerabilities to exploit,” Plixer CEO Michael Patterson told SC Media. “Qakbot’s dynamic polymorphic abilities make it particularly evasive to antivirus systems. This means the virus can more easily maintain it’s presence without being detected.”
The virus does however, need to communicate on the network in order to carry out malicious deeds and to uses HTTPS to communicate with command-and-control (C&C) and FTP to upload stolen data, he added.
“Network Traffic Analytics can be leveraged against flow data to watch for this one-two punch combination especially where odd FQDNs patterns are detected.”