Attacks

The Resurgence of Qakbot: Advisory Alert

Table of Contents

Qakbot, also known as Qbot, is a type of sophisticated banking Trojan and malware that has been active for several years. It primarily targets Windows-based systems and is designed to steal sensitive financial information, login credentials, and other personal data. 

Though it’s known to impact the financial industry, we’ve seen the malware strain evolve and target many other industries. Despite claims of a takedown this past summer, it seems they are just as active as ever.

What We Know

Despite claims by the FBI in the summer, Qakbot was never truly taken down

Lumu’s position was always that Qakbot never truly halted operations. We’ve been seeing Qakbot impact our customer base even after the takedown was announced in August. 

Our customer data suggests that the botnet has been quite active over the last few months, as we’ve detected Qakbot activity impacting various customers at a steady rate. December is not over, but we still see it keeping pace with previous months. 

Qakbot seems to be targeting a variety of industries, but Finance, Manufacturing, Education, and Government are the most commonly impacted across our customer base.

Qakbot Returns: Bigger and Better

According to our feeds, the C2 infrastructure was taken down for the most part, however, the people behind the operation are still free. In order to keep the operation they created and deployed a new executable binary, and now apparently they renewed and improved their infrastructure and binaries.

The new Qakbot malware now operates on 64 bit systems, uses AES encryption for its network communications, which enhances its ability to remain undetected and secure its data exfiltration processes. Additionally, it has evolved to send HTTP POST requests to specific paths, a method likely used for its command and control communications or for data exfiltration

Recommendations

  • Enhanced Network Monitoring: Deploy Continuous Compromise Assessment to detect any communication with known Qakbot C2 servers. This real-time monitoring can alert you to potential breaches or malware activity.
  • Incident Response Planning: Have a robust incident response plan in place. Lumu’s incident management feature can aid in quickly identifying and mitigating threats.
  • SecOps Enablement: Leverage SecOps capabilities to actively monitor and respond to threats. Lumu’s platform can provide valuable insights for SecOps teams to act upon.
  • Employee Awareness Training: Educate your staff about the risks of phishing emails, which are a common delivery method for Qakbot. Promote vigilance in identifying and reporting suspicious emails.
  • Regular Updates and Patching: Ensure that all systems are regularly updated and patched to mitigate vulnerabilities that could be exploited by Qakbot.
  • Threat-Informed Defense: Stay informed about the latest developments in Qakbot’s tactics and techniques. Use this information to inform your cybersecurity strategies and defenses.

A critical step in any cybersecurity strategy is establishing visibility into threats that are affecting your network infrastructure. Open a Lumu Free account and start gaining visibility into threats that are evading traditional cybersecurity defenses.

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

4 days ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

6 days ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

1 week ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

4 weeks ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago