IBM security researchers discovered that the QakBot malware locked out numerous of Active Directory users of their company’s domain.
Active Directory is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.
The attack is made by the Qbot banking malware. The malware was first detected in 2009, it was continuously improved over the time. It is business malware known to target businesses to leak their online banking accounts. The malware characteristics are worm capabilities to self-replicate through shared drives and removable media, It is able of monitoring the browser activities of the affected system and records all data related to finance related websites.
IBM said that this is the first time to see the malware cause Active Directory lockouts in affected organizational networks.
“QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.”
QakBot Banking malware holds a dropper for spreading, and it uses delay function to delay the execution (10 to 15 minutes) to evade Anti-Virus detection. The dropper executes an explorer.exe instance and inserts the QakBot DLL into that process, then it messes the original file.
The malware dropper uses the ping utility to perform a ping command that will repeat six times in a loop. Once the ping requests are finished, the contents of the main QakBot dropper are overwritten by the Windows autoconv.exe command.
To identify and detect QakBot or any other malware, organizations should use adaptive malware detection solutions that give real-time insight into social engineering techniques and address the relentless evolution of the threat landscape.