London, UK – June 15, 2017 – A wave of Active Directory (AD) lockouts due to malware activity occurred in June. Researchers from IBM X-Force determined during the investigation that the culprit is the famous banking trojan QakBot (aka PinkSlip). Due to actions of this malware, hundreds of thousands of Active Directory users were suddenly locked out, and employees were unable to access their endpoints and company servers. X-Force believes that attacks with QakBot will continue and companies will suffer significant losses due to such lockouts.
QakBot first appeared in 2009 and it has been constantly improved. Despite the fact that the virus spreads like a worm, otherwise it is a typical banking trojan with a set of tools for information stealing and backdoor functions. The latest version is equipped with the ability to hide from antivirus programs and disable them on endpoints. All this makes QakBot a dangerous tool for targeted attacks on companies, and detecting it at an early stage of the attack can prevent both theft of valuable data and AD lockouts.
Since it is difficult to detect this malware in the usual ways, we recommend SIEM use case APT Framework. It is able to detect signs of QakBot activity using statistical profiling and behavior analysis, so you can localize the threat before it hits your business.
We also recommend you use the Cyber Incidents Insight module in the Security Management Assistance cloud to be aware of new threats and SIEM use cases that will help you detect them.