A banking trojan known as QakBot is capable of triggering Active Directory lockouts while seeking to drain corporate bank accounts.
Once the banking trojan gets onto an infected machine, it tries everything in its might to not let go. As Michael Oppenheim, Kevin Zuk, Matan Meir, and Limor Kessem of IBM X-Force explain:
“Overall, QakBot’s detection circumvention mechanisms are less common than those used by other malware of its class. Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognizable.”
It then leverages the infected user’s login and domain credentials (if obtained from the domain controller) in an attempt to infect other machines on the same network. To boost its success rate, QakBot comes with hardcoded passwords for dictionary-style attacks, including those where the username and password are the same or are mirror images of one another. Of course, these efforts can cause multiple failed logon attempts, which together can succeed in locking out a user.
For each machine it infects, the malware implements man-in-the-browser (MitB) functionality to inject malicious code into online banking sessions. These web injections help the malware steal keystrokes, cached credentials, digital certificates, as well as other types of information that it needs to gain control over a business’s bank account. Attackers can then drain those accounts and harvest financial information to conduct additional attacks.
QakBot is known to primarily target treasury services. But that’s every changing, as Oppenheim and his colleagues point out:
“According to X-Force researchers, QakBot’s operators have been upgrading the malware’s code, persistence mechanisms, anti-AV and anti-research capabilities. As the malware evolves, it has also been known to target organizations in the health care and education sectors.”
To protect against QakBot, organizations should conduct security awareness training with their employees to avoid suspicious links and email attachments, keep machines’ software up-to-date, and prevent unnecessary inter-workstation communication.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “QakBot trojan triggers Active Directory lockouts while seeking to drain bank accounts”