Banking Trojan QakBot attacks the corporate users and blocking access to Active Directory

Researchers using analytical X-Force platform developed by IBM have discovered "worm-trojan" QakBot Bank, whose purpose is to steal money from bank accounts. This is an improved version of the Trojan, which was discovered for the first time in 2009 and qualified for the most sophisticated banking Trojans, which was discovered by the day. In the current campaigns aimed at corporate users, this malware is focused on Internet banking (similar to) and blocking access to the Active Directory infected devices.

Redistribution of the

Both the previous and the last detected version of Trojan QakBot, has the capacity to redistribute that are assigned network worms – malware after infecting the machine shares its copies on disks and removable media, using its modular the construction to spy in e-banking.

The modular construction of the Trojan QakBota gives you multiple possibilities in relation to the original version:

  • credential theft of Bank
  • run a proxy server
  • detecting type environment sandbox and antivirus software
  • disable the protection antivirus software
  • changes to the code and recompile (polymorphism) in order to hide from static scan mechanisms in the installed protective software
  • blocking access to Active Directory

If a user is logged on to the Bank, trojan activates features:

  • logging your keystrokes (keylogger)
  • the theft of stored logins and passwords
  • the theft of information from the digital certificates
  • steal cookies
  • steal passwords and logins for FTP and POP3

Trojan can send the information collected from the infected machine on the fly (uses the C & C servers whose names are generated by the algorithm DGA):

  • name of the host and user
  • the permissions of the logged-on user
  • information about the configuration of the network interfaces
  • the list of currently installed programs
  • system data
  • passwords and logins to the protected network resources
  • type of connection
  • the configuration of POP3 and SMTP
  • information about DNS services

Infecting computers

The Trojan QakBot, like other malware of this type infects the device if it is introduced into the system by the dropper. Typically, this takes place through social engineering attacks or attacks, drive-by download exploit kit tools that help hackers to match the exploit to the version of the operating system and browser/plug-ins.

Regardless of whether the dropper is started by the victim, or automatically (as a result of the exploit armed cargo), the virus tries to detect your run in a test environment, then waits for 10-15 minutes to the start of the phase infect: opens the process explorer. exe injecting malicious DLLs that use the system API functions and such. record the keystrokes on the keyboard.

Hiding in the system

QakBot malware analysts know to as nasty a piece of malicious code, which at all costs trying to remain in the infected system. This is especially frustrating yet for one reason – trojan blocks the connection to the Active Directory, by cutting corporate users of any changes made by the administrator on their computer.

After restarting the system, to keep your valuable features, the trojan tries to make the reactivation by running the startup:


The Trojan adds an entry to the Task Scheduler, as indicated by the system file in the location "C:\Windows\system32\schtasks.exe":

C:\Windows\system32\schtasks.exe "/create/tn {1F289CDD-BD80-4732-825C-4D2D43DA75AB}/tr" "C:\Users\UserNameUserName\AppData\Roaming\Microsoft\Graroaojr\graroaoj.exe\" "/sc HOURLY/mo 7/f

Trojan can add to schedule multiple times, setting a specific time and date run:

C:\Windows\system32\schtasks.exe "/create/tn {E6AA46C7-AE96-4859-A21C-5E01C0866746}/tr" cmd .exe/C start "ppm C:\Windows\system32\cscript.exe//E: javascript" C:\Users\UserName\AppData\Local\Microsoft\graroaoj.wpl\ "\" "/sc WEEKLY/D TUE /St 12:00:00/F

The blocking of Active Directory

Researchers have observed that the trojan once the DNS name of the corporate account in Active Directory, makes it impossible to communicate the infected machine to Microsoft, which is used by administrators to the advanced network management, devices, users and applications. In addition, trojan QakBot to access other computers on the network, try to sign in to AD using built-in credentials and the domain controller attempts to steal login data of other users. If the operation is "forced logon" (brute-force) fails, the trojan uses a more comprehensive list of user names and passwords.

Zahardkodowane credentials in the Trojan.

In some configurations, the AD accounts, repeatedly attempts to log on to different computers, which can end up locking the account.

Stealing money from bank accounts

The main purpose of a Trojan QakBot is stealing money from bank accounts of employees who log on to the private or business bank accounts. This is possible thanks to the use of the technique of man-in-the-browser.

The same attack (man-in-the-browser) used in a practical attack on one of the clients mbank, who was robbed of 40 000 dollars.

QakBot has implemented a feature that the fly injects malicious JavaScript code (webinject) to online banking session, by manipulating visual content: when you transfer replaces the bank account number.

The protection of the

To effectively detect such threats as QakBot, it is necessary to apply adaptive products to detect malicious software. We are dealing here with two techniques provide a Trojan on the employees ' computers:

  • through the social engineering attacks (mostly spam)
  • through attacks drive-by download, where the first violin plays exploit kit with dropper transmission QakBota

Examination of cases come down to known malware defense methods, however, require a multi-tier protection:

  • in the browser, which is the first target in drive-by attacks using vulnerabilities in software (scan Web pages, detection of malicious IP addresses, the reputation of Web sites),
  • in the mail client, where corporate users receive corporate email (scan attachments/scripts, spam)
  • at the junction of the device to the Internet that should be controlled through the firewall with IPS/IDS to detect and identify attacks (shellcode detection, malicious hosts),
  • at the junction of the corporate network to the Internet, where equipment for the comprehensive protection of the network should block the public IP addresses used in attacks and for communication with C & C.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.