Returning Qakbot Trojan Induces Active Directory Lockouts

Threat artists have resurfaced a program which had been inactive for a while. The infection called Qakbot is a Trojan horse with a rich history. The first string of the virus was launched back in 2009.

Since then, the malware has been used for various attacks with different targets. The usual goal of Qakbot is to drain banking accounts. The Trojan works on a large scale, targeting accounts which belong to business entities.

Qakbot is a sophisticated program with worm capabilities. It can replicate itself through removable media and shared drives. The software has advanced monitoring features which enables it to spy on people’s banking activity and steal their credentials. The people behind the Trojan can thus log in to users’ financial accounts and withdraw their funds.

The current string performs operations which can cause Active Directory lockouts. IBM’s X-Force research team broke the news after observing the activity of Qakbot.

The first from a series of attacks was spotted last week. The Trojan was linked to Active Directory lockouts. It was found that the actions of Qakbot can result in users losing accessibility to the data which is used for authentication and authorization purposes.

This string of Qakbot uses an attack pattern which can lead to additional consequences. The Trojan makes automated logon attempts which can trigger an account lockout.

To access and infect other machines in the network, the malware uses the credentials of the affected user and a combination of the same user’s login and domain credentials, if they can be obtained from the domain controller (DC),” explained the IBM researchers.

Qakbot may collect the username of the infected machine and use it to attempt to log in to other machines in the domain. If the malware fails to enumerate usernames from the domain controller and the target machine, the malware will use a list of hardcoded usernames instead.”

The experts went on to elaborate how the attack pattern of Qakbot can affect the user’s accessibility. Under certain domain configurations, the Trojan’s dictionary attack for accessing the targeted device can result in multiple failed authentication attempts. This would eventually cause the corresponding platform to lock the account.

Qakbot attempts to penetrate company banking accounts. For this reason, the Trojan’s attacks target internal computer systems. Consequently, employees who use their workplace computers to access their personal banking accounts can become victims, as well.

According to malware analysts, Qakbot is masterful at concealing its presence. The Trojan has the ability to evade detection while continuing to perform its malicious operations.

Overall, Qakbot’s detection circumvention mechanisms are less common than those used by other malware of its class. Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognisable,” the analysts elaborated.

Paul Calatayud, Chief Technology Officer at FireMon, noted that Account Directory lockouts are a consequence of the malware’s attempts at account numeration. Qakbot does not purposefully cause users this inconvenience.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.