Threat Management, Incident Response, Malware, TDR

Qakbot upgrade includes new obfuscation technique

The Qakbot banking trojan, a.k.a, Qbot has developed new obfuscation techniques that make it harder to detect and remove.

Cisco Talos researchers spotted a change in the infection chain of the trojan that may allow the download of the malware to go undetected since it is obfuscated when downloaded and saved in two separate files, according to a May 2 blog post.

The files are then decrypted and reassembled using the type command and detection that focuses on observing the full transfer of the malicious executable would likely miss the updated version of the malware.

The trojan has been active since 2008 and it has been known to target businesses with the goal of stealing login credentials to drain bank accounts. Victims are usually infected via a dropper and once infected, the machine will create a scheduled task to execute a JavaScript downloader that makes a request to one of several hijacked domains.

“Additionally, the comment string "CHANGES 15.03.19" is contained within the malicious JavaScript downloader, suggesting this actor updated the code on March 15,” researchers said  in the post. “This indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new campaign.”

Researchers said they first observed a spike in requests to the hijacked domains on April 2, 2019 which coincided with DNS changes made to the same domains on March 19, 2019.

Earlier this year, a shifty new variant of the malware spread targeting U.S. corporations with a new polymorphic variant that compromised thousands of victims around the world.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.