Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

QAKBOT: A decade-old malware still with new tricks

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

QAKBOT, also known as QBOT, is a banking Trojan that had been discovered in 2007. Its main purpose is to steal banking credentials and other financial information. It continuously evolves with variants having worm-like capabilities, able to drop additional malware, log user keystrokes, and create a backdoor to compromised machines. It also uses advance or new techniques to evade detection and protect itself from manual analysis.

In the resurgence of QAKBOT, it was found to be dropped by other malware such as EMOTET, or distributed via spam campaign using context-aware spam or emails that were disguised as a reply to a previous email thread. The mail content has a link to download a ZIP file or may include the file as an attachment. The content of the compressed file is a VBS file or a weaponized Office document which will drop and execute the QAKBOT payload. It will proceed to drop its component and a copy of itself to the compromised machine. It creates an autorun registry and scheduled task for its persistence. It also injects itself to an explorer.exe process. If it has successful connection to the C&C server, it will able to send the stolen credentials information, able to extracts email threads from Outlook clients, remote access the compromised machine, and could be used to drop other malware such as PROLOCK ransomware.

Behaviour

  • Steals banking credentials and other financial information
  • Uses anti-analysis and anti-debug techniques
  • Drops copy of itself and components to compromised machine
  • Creates autorun registry and scheduled task for persistence
  • Deliver other malware payload such as PROLOCK ransomware

Capabilities

  • Information Theft
  • Backdoor commands

Impact

  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information
  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Regional Impact (September 2020)
    REGIONEUROPEJAPANAMERICASAPACN-ASIAAMEA
    CUSTOMER CASE COUNT186533231
    REGIONEMEAJAPANNABULARAPAC
    SPN VSAPI FEEDBACK224,502128617151,573

Additional Threat Reference Information

Sample Spam

Below are samples of context-aware spam or emails that are disguised as delivery emails, which are replies to existing email threads.

cid:image011.jpg@01D698CE.958C8EB0

cid:image012.jpg@01D698CE.958C8EB0

Sample Attachment

This has a hidden sheet with a MACRO script hidden by changing font color to the background.

cid:image013.jpg@01D698CE.958C8EB0

cid:image014.jpg@01D698CE.958C8EB0

Infection Chain

cid:image001.png@01D69AF0.D9370AE0

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Mail arrives with an attachment or a link of a ZIP file that contains a VBS or an Office document fileInitial AccessT1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
Victim is lured into opening the VBS file or an Office document with MacroExecutionT1204.002 User Execution: Malicious File
Script will download and execute the payloadExecutionT1059.005 Command and Scripting Interpreter: Visual Basic
T1059.001 Command and Scripting Interpreter: PowerShell
Downloaded VBS file or Office document has obfuscated script to prevent manual analysis. It also has anti-analysis and anti-debug features. It injects itself into an explorer.exe process.Defense EvasionT1027 Obfuscated Files or Information
T1497 Virtualization/Sandbox Evasion
T1480 Execution Guardrails
T1055 Process Injection
Create autorun registry and scheduled taskPersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1053.005 Scheduled Task/Job: Scheduled Task
Steals banking credentials or other financial information and able to extracts email threads from Outlook clientsDiscovery
Collection
Credential Access
T1082 System Information Discovery
T1114.001 Email Collection: Local Email Collection
T1539 Steal Web Session Cookie
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1110 Brute Force
Connects to a C&C serverCommand and ControlT1071.001 Application Layer Protocol: Web Protocols
T1105 Ingress Tool Transfer
-ExfiltrationT1048 Exfiltration Over Alternative Protocol
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5698September 30, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes16.259.00October 1, 2020-
Predictive Learning (TrendX)YesIn the Cloud-Troj.Win32.TRX.XXPE50FFF036
File detection (VSAPI)YesENT OPR 16.257.00October 1, 2020Backdoor.Win32.QAKBOT.SMF1
Backdoor.Win32.QAKBOT.SMTHA
Backdoor.Win32.QAKBOT.THIOIBO
Backdoor.Win32.QAKBOT.TIGOCEM
Trojan.VBS.QAKBOT.YAKFX
Trojan.W97M.QAKBOT.AH
Trojan.X97M.QAKBOT.AB
Trojan.XF.QAKBOT.AA
TrojanSpy.Win32.QAKBOT.TIGOCEK
Network PatternYesNCIP 1.14323.00October 9, 2020QAKBOT - Malicious Certificate - SSL - Variant 3
Behavioral Monitoring (AEGIS)Yes2.177.00 September 29, 2020 4560T 
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283381
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.