This password-stealing malware just evolved a new tactic to remain hidden

[Matrix]

Windows malware campaign re-emerges with new techniques for attempting to stay under the radar.

 

A well-known form of malware which has been stealing login credentials and finances from enterprises for over a decade has once again been updated with new tricks to make it more effective at avoiding detection.

 

Qakbot - also known as Qbot -  has been afflicting businesses since 2008, using worm-like capabilities to spread. The information-stealing trojan malware targets Microsoft Windows systems in an effort to create backdoors and make off with the usernames and passwords which can provide access to financial data.

Now Qakbot has been updated with a new persistence mechanism which makes it harder for victims to detect and remove the malware. The new obfuscation technique has been detailed by cybersecurity researchers at Cisco Talos.
 

Victims of the malware are usually infected via a dropper which, when successfully installed, will create a scheduled task on the infected machine that instructs it to execute a JavaScript downloader from one of a number of attacker-controlled malicious domains. 

These saw a spike in requests during April which appear to coincide with a new Qakbot campaign and a change in the persistence mechanism. 

The new downloader always requests resources from the same Uniform Resource Identifier on the hijacked domains which are XOR encrypted in order to help obfuscate the malicious data contained in a JavaScript downloader and allow the malware to go about its tasks.

 

This is also helped along by the malware now being divided into two separate files which are only reassembled to deploy Qakbot when the dropped executable is run – making it more difficult for anti-virus software to detect.

"Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it," said Ashlee Benge, security researcher at Cisco Talos.

Once deployed on an infected system, the trojan malware will work in the background to steal the relevant data for the goals of the attackers. Researchers have posted a full list of Qakbot's malicious domains as part of the malware analysis, along with hashes and indicators of compromise.

But the best form of defence against Qakbot is to stop it being deployed onto the machine in the first place, because even when the malware is removed, it can still cause ongoing issues.
 

 

 View Original Article.

[BimBamSmash]

So, how does that "dropper" get deployed on systems in the first place? The article is being vague on that.

 

I can imagine the usual suspects: cracked software, visiting malicious websites, email attachments, engineered office files or PDF documents, or thumb drives.

 

But oftentimes there is more than that. Like tampered code on a widely used free software. I think VLC and some BitTorrent Client by the name of Transmission fell for that once.

 

Wonder how this one gets spread.

[The AchieVer]

Hackers Launching Qakbot Malware to Steal Login Credentials and Wipe the Bank Accounts

A new wave of Qakbot or Qbot banking malware campaign utilizes the advanced persistent mechanism to steal credentials and draining their bank accounts.

 

Qbot mainly targeting the businesses with sophisticated evasion technique to remain undetected and make it harder for users to detect and remove the malware.

 

In order to perform this evasion process and maintain its persistence, Qbot using some of the long utilized scheduled tasks.

 

Previously distributed Qakbot malware campaign was capable of monitoring the browsing activities of the infected computer and logs all information related to finance-related websites. 

 

Also, the recent QakBot malware attackWindows Active Directory users and leads to locks out the thousands of Active Directory users which caused a big impact for Organizations in terms of access their networked assets. 

Qakbot Malware infection Chain

In the initial stage of infection, a dropper that responsible to Qakbot to deliver the malware into victims machine with the help of spam emails and compromised websites.

 

After the infection process, a scheduled task will be created, it executes a JavaScript downloader that establish a request to the hijacked domains.

C:\Windows\system32\schtasks.exe /create /tn {guid} /tr cmd.exe /C "start /MIN C:\Windows\system32\cscript.exe /E:javascript "C:\Users\USERNAME\ymwoyf.wpl" /sc WEEKLY /D TUE,WED,THU /ST 12:00:00 /F

According to Cisco Talosresearch, a spike in requests to these hijacked domains on April 2, 2019. This coincides with DNS changes made to these domains on March 19, 2019. Additionally, the comment string “CHANGES 15.03.19” is contained within the malicious JavaScript downloader, suggesting this actor updated the code on March 15.

 

After these changes have been applied, attackers started this new campaign and the downloader requests the URI “/datacollectionservice[.]php3.” from these hijacked domains.

 

Downloader request to the hijacked domain is completely XOR encrypted at the beginning of the JavaScript and the response from the domain will be as (randalpha)_1.zzz and (randalpha)_2.zzz.  

 

The obfuscated .zzz file utilize the java script downloader to performing the decrypting process and finally a scheduled task is created to execute a batch file. 

 

Researcher found that there are several malicious executable found in the .zzz files and the files will be automatically deleted once the execution started its infection process.

 

“There has been a change in the infection chain of Qakbot that makes it more difficult for traditional anti-virus software to detect. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it” Cisco Said.

 

 

 

Source

[Karlston]

Similar topics merged.

 

(Both articles are about Qakbot/Qbot use of a new persistence mechanism)