Weekly Executive Summary for Week July 07, 2017

By Joseph Lorenz on July 7, 2017

What is it? Banking Trojan | Worm

What has it been dubbed? Qakbot | Pinkslipbot | W32.Qakbot | Qbot

What does it do?

The malware has the ability to gather data from compromised systems and uploads that captured data to FTP servers that are controlled by cybercriminals. According to Symantec, in 2011 Qakbot was uploading an average of 10-15 kilobytes worth of stolen data per day from infected computers. The main purpose of the malware is to steal banking information. Back in 2011, when Qbot was first being observed it was only targeting banks in the United States. The banking trojan also has worm-like propagation, and users may become infected through network shares or removable drives.  

Since its original appearance, Qakbot has evolved to infect new systems and evade detection. The variant of banking malware uses (UPnP) Universal Plug and Play to open ports, which would allow incoming connections from anyone on the internet. The first malware to use infected machines as HTTPS-based control servers and the second to use UPnP for port forwarding(the other was Conficker worm).

How does it do it?

Originally infections were spread through infected websites which would point to exploit attack toolkits. Attackers would plant updated Qakbot biniares as the payload of the exploit attack toolkit. A user could stumble upon a website which had code that points to the exploit attack toolkit, it is then subjected to various application exploits, if it is successful the toolkit will drop and run the Qakbot file without user any user interaction. As stated previously, users could also be infected via network shares or removable devices from other infected users.

malware flowchart

Source: Symantec

Once pinkslipbot has been executed it hooks into various APIs and injects itself into various processes. In this phase the malware will start the process of keylogging and monitoring network traffic, while a SOCKS-like proxy client is started up on the compromised system.

An ‘.exe’ is downloaded as a result of the initial infection, this executable contains an encrypted DLL and configuration file, which are dropped for initialization and injection. Pinkslipbot injects into various processes such as iexplore.exe, outlook.exe, firefox.exe, opera.exe, skype.exe, and more. The now injected code attempts to reach out to the internet to gather other configuration files and updates. The .exe, DLL, and other configuration files are stored under a randomly named sub-folder within this folder:

  • %AllUsersProfile%\Application Data\Microsoft\  

The configuration file is encrypted, it contains C&C and FTP server information.

Network connections can be made on the these network ports:

  • 80
  • 21
  • 443
  • 2222
  • 995  
  • 2078
  • 31666
  • 16666-16669

Though its main purpose is to steal banking information and credentials, when an infected user visits a banking website which is targeted by Qakbot the session authentication tokens are sent to attackers, this can allow them to piggyback on an existing session. This banking Trojan also has the ability to disable users from terminating online baking sessions(logging off), for certain banking websites, by redirecting actions taken when the ‘sign out’ link is clicked.  When attackers have the stolen session authentication data they’re able to stay on the active online banking session to transfer funds. Cybercriminals can also use Qakbot’s proxy client on infected systems in the case that the financial institution needs to verify local client information (i.e., IP address). Another method used to steal banking credentials is simply through the use of a keylogger.

In 2017 the banking Trojan has evolved and expanded on its capabilities. Qakbot has been rewritten to target 64-bit systems across the globe, not only the United States as it was originally designed to do. The malware has added layers for obfuscation, to avoid detection from Antivirus and to ensure persistence. The newly studied variant universal plug and play to open ports, which would allow anyone on the internet to communicate with an infected system. New infections will use already infected machines as HTTPS proxies to allow masquerading the IP address of the real C&C(Command & Control) server.

network diagram

Source: Security Affairs

Qakbot will check the targeted computers connection using Comcast Internet speed tester, which can only be used with US IP addresses. If the targeted system passes the speed test the malware will tap on to UPnP ports to check available services. According to researchers, it is still unclear what exact procedure of determining whether an infected machine is eligible to be a control server proxy, but researchers believe it could be a combination of these three factors:

  • IP address located in North America
  • High-speed Internet connection
  • Capability to open ports on an Internet gateway device using UPnP”

Infected machines at the first level of the attack chain proxy use the ‘libcurl’ library to pass information to the second layer which is then routes the traffic to the ‘real’ C&C servers.  


Conclusion:

This is a great example of how older forms of malware can be rengineered to add on new malcious actvities. Qakbot was observed around 6 years ago, and has since made a comback with added features of obfuscation and persistance. Any malware that has capabilites to spread (worm) toward other networked devices should be closely observed. These attacks can be seen as optomistic, as they make use of infected webpages to spread its malcious code.

According to McAfee, most secuiryy tools only the malware’s main binaires, which only prevents the trojan from collecting credentials from infected hosts. Though these tools leave certain code intact allowing the malware to create proxy servers which run via Windows Universal Plug and Play service. McAfee has released a new free tool to remove all remaining files, to prevent Qakbot from using a user’s system to rely C&C commands to other systems.

The tool is callled AmIPinkC2 and can be found here: https://www.mcafee.com/us/downloads/free-tools/pinkslipbot.aspx


Sources:

https://www.cylance.com/en_us/blog/cylance-vs-qakbot-malware.html (Cylance)

http://securityaffairs.co/wordpress/60233/malware/pinkslipbot-banking-trojan.html (Secuirty Affaris)

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf (Symantec)

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22960/en_US/McAfee_Labs_Threat_Advisory_Pinkslipbot_Updated_May8_2017.pdf (McAfee)