What is Qakbot?
Qakbot (S0650), also known as Qbot, is a long-standing banking trojan used for credential theft. It can steal login credentials, modify system settings, and uses sophisticated techniques like polymorphic code to evade detection.
While a dangerous infostealer on its own, Qakbot has evolved into a primary initial access dropper for other major threat actors. It is famously used to deliver ransomware payloads for groups like Black Basta. Qakbot typically spreads through phishing campaigns that use email thread hijacking. This is when an attacker compromises an email account and replies to an ongoing email chain, their malicious links or attachments appear trustworthy to the recipients.
How to Defend Against Qakbot?
Defending against Qakbot requires a multi-layered approach focused on blocking its delivery and detecting its post-infection activity.
- Implement robust email security to block the phishing attempts and malicious attachments that are its primary delivery vector.
- Educate users to recognize and report sophisticated phishing and email thread hijacking attempts.
- Keep all software and systems patched to limit the vulnerabilities that can be exploited for initial access.
- Deploy endpoint detection and antivirus to identify and block the execution of the trojan and its evasive techniques.
- Use network detection (NDR) with integrated threat intelligence to spot and block C2 communications and the download of follow-on payloads.
