Breach, Content

Qakbot Trojan Malware Evades AV Software, Attacks Enterprise Networks

Share
Credit: Pixabay

Qakbot, self-propagating Trojan malware, is back and apparently stronger than ever, according to security researchers at cybersecurity solutions provider Cylance.

Over the last month, Qakbot has experienced "both functional enhancements and multiple layers of obfuscation, coupled with server-side ," Cylance said in a blog.

In addition, Qakbot continues to evade detection and response from traditional antivirus (AV) software, Cylance asserted.

Qakbot Malware Research

Cylance this week released a threat spotlight that highlights five Qakbot research trends:

  1. Qakbot is adapting to target 64-bit systems across the globe.
  2. The Qakbot code has been re-written from the ground up this year.
  3. More than 20 percent of the Qakbot code is designed for evasion and persistence.
  4. The Qakbot malware is directed at Trend Micro customers.
  5. Qakbot devastates Windows Defender.

Qakbot's core functionality has remained intact over the years, and the malware keeps returning, Cylance asserted.

"Qakbot continues to be a significant threat due to its credential collection capabilities and polymorphic features," Cylance stated. "Unhindered, this malware family can rapidly propagate through network shares and create an enterprise-wide incident."

Qakbot: Questions to Consider

To better understand Qakbot and its impact on enterprises, here are some of the questions to consider about the Trojan malware:

  1. What is Qakbot exactly? Qakbot initially emerged in 2007, Trend Micro reported. It is a form of Trojan malware that can steal credentials and spread through an enterprise over network shares, Cylance indicated.
  2. How is Qakbot delivered? Qakbot is administered via phishing emails, Cylance stated. Like a worm, Qakbot has the ability to travel and replicate laterally, Cylance pointed out.
  3. Are all enterprises susceptible to Qakbot? Cylance has discovered Qakbot victims across multiple industries, including manufacturing, law and payroll. Qakbot usually is part of an opportunistic cyberattack, Cylance said, and may target any end user, at any time.
  4. What is the business impact of Qakbot? Qakbot causes account and administrator system lock-outs, according to Cylance. It often is difficult to detect and eliminate, Cylance noted, and can disrupt an enterprise's day-to-day operations.
  5. Is it possible to stop a Qakbot attack? Qakbot is prevalent worldwide, Cylance said, but endpoint protection solutions may help an enterprise identify and resolve a Qakbot attack. Also, enterprises that educate their employees about phishing, malware and other cyber threats and update their cybersecurity processes and protocols regularly may be better equipped than others to respond to Qakbot and other cyberattacks.

Qakbot represents "seemingly immortal malware" that has raised concerns about how enterprises can block cyber threats from gaining access to corporate systems, according to Cylance.

However, enterprises that emphasize cyber threat detection and containment at all levels may be able to stop Qakbot attacks, Cylance said.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.