Qakbot 2017 Variante - Worm parte, Parte Banking Trojan, parte Infostealer

Qakbot 2017 Variante – Worm parte, Parte Banking Trojan, parte Infostealer

malwares idade não desaparece, como é evidente pelas recentes revivals de casos antigos. Ontem nós escrevemos sobre a distribuição renovada do bem conhecido Backdoor.Nital e Gh0st RAT. Este artigo é dedicado a outro velho pedaço de malware do tipo verme - QakBot - que existe desde 2009. Pesquisadores ligados recentes bloqueios do Microsoft Active Directory para QakBot.

Active Directory, servidor de diretório da Microsoft, é projetado para permitir que os administradores de redes de controle de um único local. Não é difícil imaginar o estresse bloqueios do Active Directory pode trazer sobre admins.

Resumo ameaça

Tipoworm de computador, Banking Trojan, informações Stealer
Pequena descriçãoUm worm espalha através de compartilhamentos de rede e unidades de mídia removível. O worm pode baixar mais malware, steal sensitive information, or open a backdoor on the compromised system. It is also a Banking Trojan.
Os sintomasIn its latest operation, victims are locked out of Active Directory accounts.
distribuição Método Removable media drives, redes
Ferramenta de detecção See If Your System Has Been Affected by QakBot


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss QakBot.

QakBot Technical Overview

pouco colocá, QakBot is a worm spreading through network shares and removable media drives. O worm pode baixar mais malware, steal sensitive information, or open a backdoor on the compromised system. Few years ago researchers discovered that QakBot even has rootkit capabilities which hide its presence on the system and make it stealthier.

As for the latest damages associated with QakBot – the Active Directory lockouts – they took place last week and are a first for the malware.

De acordo com pesquisadores at IBM’s X-Force, affected users were unable to access endpoints, company servers and networked assets on affected domains.

Story relacionado: Crypto Ransomworm, Infecção final Ransomware de 2017?

QakBot Distribution

Just a couple of days ago a post appeared on Reddit indicating about the renewed state of the malware. According to the Reddit user who started the discussion, a school district was “entirely affected” by its latest variant.

o 2017 variant has been spreading with the help of a dropper that waits about 15 minutes to execute. This is done to decrease the chance of detection from sandboxes or anti-virus engines. The dropper then opens an executable, injects a DLL file, overwriting the original file. Finalmente, the dropper downloads QakBot.

Como já mencionado, the malware has always had worm-like capabilities depicted by its capacity to self-replicate via shared drives and removable media. In its latest campaigns the malware is using networks to propagate, locking users out of their accounts. The propagation is based on cycling through user and domain credentials, pesquisadores dizem.

Para fazê-lo, the malware pairs logins with various password guessing techniques such as guessing passwords by using words in a dictionary. “Under certain domain configurations, the malware’s dictionary attack for accessing the target machines can result in multiple failed authentication attempts, which eventually trigger an account lockout,” the researchers explained in a blog post.

QakBot – a Worm and a Banking Trojan

QakBot is also known to target businesses. What makes it a real nightmare is that it is part worm, part banking Trojan:

QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (DE) Ferramentas. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.

On top of everything else, QakBot continues to be able to evade detection and is very persistent. System reboots don’t work as well as removal attempts with Registry runkey and scheduled tasks. The malware will still load after each system reboot. As for the scheduled task in schtasks.exe – it will make the malware run on timed intervals.

Resumindo, QakBot is a worm, a banking Trojan and an information stealer. Curiosamente, it is “also the first Trojan that was designed to exclusively target the business banking sector, a vocation to which it has kept true throughout the past eight years”. These are the sectors affected by the dangerous malware:

QakBot Mitigation and Protection

Since QakBot primarily targets banks and businesses, potential victims should use adaptive malware detection solutions with real-time capabilities. The very first thing, Contudo, is cybersecurity awareness, pesquisadores dizem. “Users can protect themselves and their organizations by practicing browsing hygiene, disabling online ads, filtering macro execution in files that come via email and observing other security best practices”.

To mitigate QakBot activity on the network, users should reassure domain accounts are configured with the least privilege needed to perform job tasks

Organizations are advised to create a random domain admin account for safety purposes and then make sure it reports directly to the security information and event management system (SIEM) when there’s an attempt to use it.

E finalmente, organizations should prevent workstation-to-workstation communications wherever possible “possible to force malware out of the trenches and into areas where central detection systems will pick it up quickly”, researchers conclude.


Remoção de Malware Ferramenta

digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar