SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Kaspersky researchers reveal QakBot, a powerful banking Trojan

Mon, 6th Sep 2021
FYI, this story is more than a year old

The number of users attacked with QakBot, a banking Trojan, in the first seven months of 2021 grew by 65% in comparison to the same period in 2020, according to new research from Kaspersky.

Overall, the threat reached 17,316 users worldwide, demonstrating that it is increasingly affecting internet users.

As Kaspersky researchers highlight, banking Trojans, when they have successfully infected a targeted computer, allow cybercriminals to steal money from victims' online banking accounts and e-wallets. This is why they are considered one of the most dangerous types of malware.

QakBot was identified as early as 2007 as one of the many banking Trojans. However, in recent years QakBots' developer has invested more into its development, turning the Trojan into one of the most powerful and dangerous among existing examples of this malware type, the Kaspersky researchers state.

In addition to functions that are standard for banking Trojans, such as keylogging, cookie-stealing, passwords, and login grabbing, recent versions of QakBot have included functionalities and techniques that allow it to detect if it's running in a virtual environment.

The latter is often used by security solutions and anti-malware specialists to identify malware via its behaviour, the researchers state. If the malware detects it's running in a virtual environment, it can stop suspicious activity or stop functioning completely.

In addition, QakBot tries to protect itself from being analysed and debugged by experts and automated tools.

The other new and unusual function spotted by Kaspersky researchers in recent versions of QakBot is its ability to steal emails from the attacked machine. These emails are later used in various social engineering campaigns against users in the victim's email contact list.

Kaspersky malware analyst Haim Zigel says, “QakBot is unlikely to stop its activity anytime soon. This malware continuously receives updates and the threat actors behind it keep adding new capabilities and updating its modules in order to maximise the revenue impact, along with stealing details and information.

"Previously, we've seen QakBot being actively spread via the Emotet botnet. This botnet was taken down at the beginning of the year, but judging by the infection attempt statistics, which have grown in comparison to the last year, the actors behind QakBot have found a new way of propagating this malicious software.

To stay safe from financial threats such as QakBot, Kaspersky experts recommend the following:

  • Do not follow links in spam messages nor open documents attached to them.
  • Use online banking with multifactor authentication solutions.
  • Make sure all software is updated, including operating systems and all software applications (attackers exploit loopholes in widely used programs to gain entry).
  • Use a trusted security solution that can help check the security of a URL and open any site in a protected container to prevent theft of sensitive data (such as financial information).
Follow us on: