QakBot Banking malware causes massive Active Directory lockouts

Pierluigi Paganini June 04, 2017

Security experts at IBM noticed that hundreds to thousands of Active Directory users were locked out of their company’s domain by the QakBot Banking malware

Malware researchers at IBM noticed that hundreds to thousands of Active Directory users were locked out of their organization’s domain, the incident is caused by the Qbot banking malware. The malware was first discovered in 2009, it was continuously improved over the time.

QakBot Banking malware

The Qbot banking malware was designed to target businesses and steal money from bank accounts, it implements network wormable capabilities to self-replicate through shared drives and removable media.

The Qbot banking malware is also able to steal user data such as digital certificates, keystrokes, cached credentials, HTTP(S) session authentication data, cookies, authentication tokens, and FTP and POP3 credentials.

The recent campaigns mainly targeted the US business banking services, including treasury, corporate banking, and commercial banking.

“This is the first time IBM X-Force has seen the malware cause AD lockouts in affected organizational networks.” reads the blog post published by IBM.

“QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.”

Qbot banking malware implements singular detection circumvention mechanisms leveraging a rapid mutation to elude AV.

“Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognizable,” states IBM.

The QakBot Banking malware leverages a dropper for distribution, researchers observed it uses delayed execution (10 to 15 minutes) to evade detection.

The dropper executes an explorer.exe instance and injects the QakBot Dynamic Link Libraries (DLL) into that process, then it corrupts its original file.

The dropper uses the ping.exe utility to invoke a ping command that will repeat six times in a loop:

C:\Windows\System32\cmd.exe” /c ping.exe -n 6 & type “C:\Windows\System32\autoconv.exe” à “C:\Users\UserName\Desktop\7a172.exe

Once the pings are complete, the contents of the original QakBot dropper are overwritten by the legitimate Windows autoconv.exe command.

QakBot gains on the target machine using a Registry runkey and scheduled tasks.

Experts observed the malware targeting Active Directory domains by performing three specific actions:

  • lock out hundreds to thousands of accounts in quick succession; it would perform automated
  • it would perform automated logon attempts, some launched using accounts that do not exist;
  • it would deploy malicious executables to network shares and register them as a service.

To spread through the target network, the QakBot Banking malware implements lateral movements, both automatically and on-demand, using a specific command from the C&C server.

“To access and infect other machines in the network, the malware uses the credentials of the affected user and a combination of the same user’s login and domain credentials, if they can be obtained from the domain controller (DC). QakBot may collect the username of the infected machine and use it to attempt to log in to other machines in the domain.” continues the analysis. “If the malware fails to enumerate usernames from the domain controller and the target machine, the malware will use a list of hardcoded usernames instead.”

The malware used man-in-the-browser (MitB) attacks to inject malicious code into online banking sessions, it fetches the scripts from the domain it controls.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – QakBot Banking malware, hacking)

[adrotate banner=”13″]

you might also like

leave a comment