In addition to functions fairly standard in banking Trojans such as keystroke capture, cookie stealing, passwords and logins, recent versions of QakBot include functions and techniques that allow the program to detect if it is running in a virtual environment. This method is often used by security and anti-malware professionals to identify the behavior of malware. If the malware detects that it is running in a virtual environment, it can stop suspicious activity or stop working altogether. In addition, QakBot tries to protect itself from being analyzed and debugged by cybersecurity experts and automated tools.
Another new and unusual feature noticed by Kaspersky researchers in recent versions of QakBot is the ability to steal email from the hacked machine. These emails are then used in various social engineering campaigns against users on the victim’s email contact list.
Kaspersky Malware Analyst Haim Zigel said: “QakBot is unlikely to cease operation anytime soon. This malware is constantly being updated, and the threat actors behind it are trying to add new capabilities to maximize revenue impact, as well as steal information and It keeps updating its modules. Previously, we have seen QakBot actively spread via the Emotet botnet. This botnet ceased operations at the beginning of the year. However, judging by the increasing statistics of infection attempts compared to last year, the actors behind QakBot have found a new way to spread this malware.”
Kaspersky security solutions successfully detect and block all known versions of the QakBot banking Trojan.
You can learn more about QakBot on Securelist.
To protect against financial threats like QakBot, Kaspersky experts recommend:
Do not follow links in spam messages or open attachments. Use online banking with multi-factor authentication solutions. Make sure all your software is updated, including your operating system and all software applications. Attackers exploit vulnerabilities in commonly used programs to gain access to your system. To prevent sensitive data (such as financial information) from being stolen, use a reliable security solution that can help you check the security of the URL you visit and open any site in a protected container.
48037
