The Qakbot banking Trojan has updated its persistence mechanism in recent attacks and also received changes that potentially allow it to evade detection, Talos’ security researchers say.
Also known as Qbot and Quakbot, the Trojan has been around for nearly a decade, and has received a variety of changes over time to remain a persistent threat, although its functionality remained largely unaltered.
Known for the targeting of businesses to steal login credentials and eventually drain their bank accounts, the malware has received updates to the scheduled task it uses to achieve persistence on the infected systems, which also allows it to evade detection.
A spike in requests to these hijacked domains observed on April 2, 2019 (which follows DNS changes made to them on March 19) suggests that the threat actor has made updates to the persistence mechanism only recently, in preparation for a new campaign.
At the same time, a scheduled task is created to execute a batch file. The code reassembles the Qakbot executable from the two .zzz files, using the type command, after which the two .zzz files are deleted.
The changes in the infection chain make it more difficult for traditional anti-virus software to detect attacks, and the malware may easily be downloaded onto target machine, given that it is now obfuscated and saved in two separate files.
“Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it,” Talos concludes.
Source: infosec island