What Is Qakbot?
Qakbot (AKA Qbot or Pinkslipbot) is a modular second-stage malware with backdoor capabilities, initially purposed as a credential stealer, and has been noted by CISA as one of the top malware strains of 2021. Classified as a banking trojan, worm, and remote access trojan (RAT), Qakbot steals sensitive data and attempts to self-propagate to other systems on the network. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to perform manual attacks to achieve secondary objectives such as scanning the compromised network or injecting ransomware.
Qakbot has been used by apex ransomware gangs such as REvil, ProLock, and Lockbit to distribute several big-game hunting ransomware strains. Qakbot's many modules also allow automated targeting of financial data, locally stored emails, system passwords or password hashes, website passwords, and cookies from web browser caches. They can also log keystrokes to steal any typed credentials.
Discovered in 2008, Qakbot has seen constant updates during its lifetime, and its use fluctuates with its update cycle. After updated versions were made available in 2015, Qakbot gained new momentum; in 2020, threat researchers noted that the release of a novel Qakbot strain resulted in a 465 percent increase in its year-over-year share of cyberattacks. In 2021, Qakbot was leveraged in the prominent cyber-breach of JBS, which disrupted its meat production facilities and forced an $11 million ransom payment.
Latest Qakbot News
- Inside the FBI and DOJ Takedown of Qakbot, the “Swiss Army Knife” of Malware (BlackBerry Blogs)
- QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks (The Hacker News)
- FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown (FBI.gov)
- Cyberattacks Targeting macOS vs Windows (BlackBerry Blog)
How Qakbot Works
As a second-stage exploit kit, Qakbot is introduced to a target's system by first-stage downloader malware—either as part of the initial exploit or soon after initial access has been gained. Initial access breaches can happen via multiple techniques, such as malspam or email phishing with a trojanized document, exploiting a public-facing vulnerability, or malicious insider attacks.
Once operating on a target system, Qakbot seeks to steal credentials and spread to other hosts on the network using Microsoft PowerShell and the Mimikatz exploit kit.
Qakbot uses several techniques to steal sensitive information from victims, including:
- Monitoring keystrokes and sending the logs to attacker-controlled systems
- Enumerating system files to identify stored password hashes
- Searching browser password caches to steal passwords stored using the browser's autofill feature
Signs of a Qakbot Attack
As a second-stage malware, part of Qakbot's strategy is stealth. To avoid detection, Qakbot evaluates a local system environment and will not decrypt its payload or execute in some scenarios, such as when virtualization is detected or when certain security products or Windows Registry keys are present. This allows Qakbot to conceal its functionality by preventing security researchers from quickly obtaining and analyzing the payload. Another Qakbot stealth strategy is injecting itself (or piggybacking) into legitimate application processes.
An unauthorized run key in the Windows Registry is one potential indicator of a Qakbot compromise. Registry run keys are used to automatically execute a program when a user logs on: Qakbot creates an entry to auto-start itself for persistence on a system. Qakbot is also notably updated in response to published security research to mask its known indicators of compromise (IOCs).
How to Prevent a Qakbot Attack
The most effective method for preventing a Qakbot infection is to prevent attackers from gaining initial access and stop Qakbot from spreading through a network if it has already gained initial access.
Defensive Tactics for Preventing Qakbot Initial Access
- Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures for handling suspicious emails and documents
- Configure email clients to notify users when emails originate from outside the organization and block all password-protected .zip file attachments
- Configure Microsoft Office applications to block the execution of VBA macros
- Develop and maintain a vulnerability management program to periodically scan for vulnerabilities in public-facing services and remediate them promptly
- Install OS and application updates and security patches as soon as possible after they become available
Defensive Tactics for Preventing Lateral Movement of Qakbot
- Implement strong access controls based on the principle of least privilege
- Enforce password policies that mandate strong key space to reduce the chances of breached password hashes being cracked offline
- Conduct regular vulnerability scans and remediate any identified vulnerabilities
- Use network security appliances such as IDS and next-gen firewalls and further harden a network and segment critical systems to a separate VLAN and Windows domain
- Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted and identify IOCs on the network and its endpoints
- Implement Zero Trust solutions wherever possible, giving priority to critical systems