QakBot Detection: New Trojan Variant Picked Up New Tricks

Security experts have revealed a new variant of an information stealer and banking trojan known under the moniker QBot (aka QakBot, QuackBot, or Pinkslipbot). The trojan was first detected in the late 2000s, mostly used in financially motivated attacks aimed at stealing victims’ passwords. Its operators regularly resurface with new tricks up their sleeves, adopting new delivery vectors and evasion techniques. This time, adversaries trick victims into opening a weaponized HTML attachment that installs Qakbot, spread in a phishing campaign.

Detect QakBot

Make use of a newly released detection rule by Nattatorn Chuensangarun to expose the latest QBot attacks against your organization’s network:

Possible QakBot Execution by Spread HTML File Attached through Phishing Emails (via process_creation)

The Sigma rule can be used across 19+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Signed Binary Proxy Execution (T1218) and User Execution (T1204) as the primary techniques.

Registered SOC Prime users can reach innovative industry-specific solutions and 200,000+ detection algorithms that integrate with 26+ SIEM, EDR and XDR technologies. To access the exhaustive list of Sigma rules to detect QBot attacks, click the Detect & Hunt button below.

To obtain better visibility into threats passing through your network, navigate an ever-changing landscape of threats with a novel solution from SOC Prime – the Cyber Threat Search Engine. The Search Engine is available for free, no strings attached. Give it a go by pressing the Explore Threat Context button.

Detect & Hunt Explore Threat Context

QakBot Description

In the recent operations, adversaries behind the distribution of QakBot have adopted new approaches to take their detection evasion capabilities to the next level by using ZIP file extensions, imitating common formats to lure the targets into downloading malicious attachments that install Qakbot. When the receiver opens the HTML file, the process entails the execution of the javascript code piece. Then follows the decoding of a base64 string held by a local variable, calling a built-in function, to save the decoded ZIP archive. The ZIP file contains a Windows shortcut file that visually mimics a text file. Double-clicking results in the launch of a QakBot’s loader program. According to the research data, the latest version of the QakBot trojan is enhanced with new anti-analysis and obfuscation techniques.

In this campaign, criminal hackers leverage payload extensions like OCX, ooccxx, .dat, .gyp to circumvent detection from automated security scans.

New attacks show up in the wild every day, and SOC professionals need precise, exposure-based solutions that cut through the noise and pinpoint the real security threats. SOC Prime’s vast library of detection content enables infosec professionals to pump up value from their investments into security. By joining SOC Prime’s Detection as Code platform, security experts can see in action how they can benefit from accelerated cyber defense capabilities.