A well-known form of malware which has been stealing login credentials and finances from enterprises for over a decade has once again been updated with new tricks to make it more effective at avoiding detection.
Qakbot – also known as Qbot – has been afflicting businesses since 2008, using worm-like capabilities to spread. The information-stealing trojan malware targets Microsoft Windows systems in an effort to create backdoors and make off with the usernames and passwords which can provide access to financial data.
Now Qakbot has been updated with a new persistence mechanism which makes it harder for victims to detect and remove the malware. The new obfuscation technique has been detailed by cybersecurity researchers at Cisco Talos.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
These saw a spike in requests during April which appear to coincide with a new Qakbot campaign and a change in the persistence mechanism.
This is also helped along by the malware now being divided into two separate files which are only reassembled to deploy Qakbot when the dropped executable is run – making it more difficult for anti-virus software to detect.
“Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it,” said Ashlee Benge, security researcher at Cisco Talos.
Once deployed on an infected system, the trojan malware will work in the background to steal the relevant data for the goals of the attackers. Researchers have posted a full list of Qakbot’s malicious domains as part of the malware analysis, along with hashes and indicators of compromise.
But the best form of defence against Qakbot is to stop it being deployed onto the machine in the first place, because even when the malware is removed, it can still cause ongoing issues.
MORE ON CYBERCRIME
Credit: Source link