QAKBOT: A Prevalent Infostealing Malware



What is WORM_QAKBOT?

WORM_QAKBOT or QAKBOT is a multi-component threat that remains prevalent since its first emergence in 2007. It continuously evolved to avoid easy detection on and removal from an infected system.

Early variants of this malware used constant file names which had the string,“_qbot” in them. They utilized single layer of encryption for their configuration files. Later variants, however, set the configuration files' attribute to Hidden and used random names for their component files and folders. These also doubled their configuration files' encryption, which made them harder to decrypt and analyze.

QAKBOT's payloads include malware infection and information theft.

How do users' systems get infected?

QAKBOT uses various infection vectors to arrive on the user's system. It may be downloaded onto a system when a user visits malicious sites. It may also arrive via .PDF files that specifically exploit Collab.collectEmailInfo and Collab.getIcon vulnerabilities and via default network shares.

What banking/finance-related websites does QAKBOT monitor?

QAKBOT monitors the following banking/finance-related websites:
  • access.jpmorgan.com
  • business-eb.ibanking-services.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • cpw-achweb.bankofamerica.com
  • directline4biz.com
  • directpay.wellsfargo.com
  • ebanking-services.com
  • express.53.com
  • ibc.klikbca.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • ktt.key.com
  • moneymanagergps.com
  • onb.webcashmgmt.com
  • onlineserv/CM
  • premierview.membersunited.org
  • tmconnectweb
  • treas-mgt.frostbank.com
  • treasury.pncbank.com
  • web-cashplus.com

Why is this threat noteworthy?

Trend Micro is monitoring this threat because of its malware technology specifically its stealth routines. This threat has several stealth routines such as blocking access to certain antivirus sites; hiding the files, folders, and registry entries it create; and deleting itself if found running on a virtual machine (VM). Moreover, QAKBOT quickly evolves, especially if the user does not subscribe to any kind of Web reputation services for his/her system. Trend Micro researchers also encountered QAKBOT-related cases that also involved CYCBOT, another information-stealing malware. 

Why is it a persistent threat?

There are many reasons why QAKBOT has remained a persistent threat over the years. First, it has many components that function differently from one another. These components include the main executable, _qbotinj.exe, _qbot.dll, _qbotnti.exe, msadvapi32.dll, a JavaScript, and a schedule task. When executed on a VM, it uninstalls itself and sends the VM information to a certain URL, which consequently makes it difficult to analyze. It also downloads its components and updates from specific URLs. It also has rootkit capabilities that help it hide its component files and processes. 

What is the driving force behind this threat? 

QAKBOT is an information-stealing malware that monitors and logs information pertaining to finance-related websites. Through stealing the said information, the cybercriminals behind this attack can generate profit. This threat particularly became prevalent in Q4 2009 and Q4 2010, which is not surprising since people tend to shop more online during the holidays.

How does this threat affect users?

When executed, the main executable file parses the package file that contains other component files and checks if it is running on a VM. It uninstalls itself if found running on VM. It then downloads updates and component files. Moreover, it also blocks access to several antivirus sites and hides its component files to avoid easy detection and removal. This worm also connects to an Internet Relay Chat (IRC )server to perform commands, hence compromising the infected system.

Are Trend Micro product users protected from this threat?

Trend Micro product users are protected from this threat via the Trend Micro™ Smart Protection Network™, which detects all variants of this malware family and their components. It also blocks all related URLs via the Web reputation technology.

FROM THE FIELD: EXPERT INSIGHTS

"A multi-component threat, QAKBOT comes with the following capabilities: propagation, information theft, rootkit , anti-emulation, backdoor, and blocked access to antivirus websites. Together, these functions are responsible for QAKBOT’s prevalence and effectiveness in infecting user’s system." Jessa dela Torre, Threat Response Engineer