In the last few months, Qakbot infections have seen a dramatic increase, with some security vendors seeing a four-fold increase in infections in Q3\Q4 of 2022. However, Qakbot is not new. Also known as QBot or Pinkslipbot, it was first seen in 2007, and has evolved over the last 15 years. It has been used by various threat actors for a number of purposes, such as stealing banking credentials, ransomware operations, and spying on the operations of organizations all over the world.
Qakbot primary vectors
Recent Qakbot infections most often have malicious emails as their source. Typically, these emails contain links or attachments that place a ZIP file into the users Download folder. Executing that file mounts an ISO, which starts the Qakbot infection.
Typical operation
Many Qakbot infections operate in the same manner. The initial ZIP file mounts an ISO image, and its execution causes a chain of operations to occur:
- The malware modifies the machine it has infected so that that Qakbot becomes persistent and survives reboots
- Some Qakbot variants spread to other machines in the environment via network (SMB) shares.
- Its activities during the early stages of the infection are file operations, most of which go unnoticed by the end user, and some security solutions.
- It utilizes process injection techniques to try to evade detection by antivirus solutions when it takes malicious actions.
Qakbot mitigation techniques
Some of the most effective techniques for dealing with this threat are the basics. As many Qakbot infections start via a malicious email, an email protection solution is your first line of defense. Your second line of defense is a solid security awareness training program to educate users on how to deal with suspicious emails. Your third line of defense is utilizing EDR and NGAV solutions to monitor the processes that are running on the machines in your organization to detect the malware as early as possible. Additionally, Qakbot and other malware typically take advantage of operating system vulnerabilities, so having a program in place to keep up with these updates and ensure they are deployed as soon as reasonably possible will go a long way in reducing your environments attack surface.
System Hardening
ISO Restriction: Qakbot is often executed from a mounted ISO, so one way to harden machines against infections is by preventing ISO images from being mounted. For most users, there is no usability impact with this change.
Administrative Shares: Since some Qakbot variants spread through an environment via network shares, disabling the administrative shares built into Windows can reduce the malware’s ability to move from machine to machine. However, many legitimate applications rely on these shares to function, so this is a change that requires careful evaluation before wide-scale implementation. In some environments, these shares are necessary and cannot be disabled. In this case, additional monitoring should be employed to protect them.
Remain Vigilant
Exercise caution when receiving suspicious emails, especially those containing attachments and links. Implement a robust email protection solution. Keep abreast of vulnerabilities and patch\update as soon as possible. Utilize an effective EDR\NGAV solution to provide visibility into processes in your environment. Harden machines where able, making sure that these changes strike a balance between security and usability. Stay calm, stay sharp.
