Recent malware-induced Active Directory (AD) lockouts impacting numerous organizations appear to have been caused by the Qbot banking malware, IBM security researchers warn.
The researchers noticed that hundreds to thousands of AD users were locked out of their company’s domain in rapid succession, thus preventing employees of impacted organizations from accessing their endpoints, company servers and networked assets.
These incidents apparently hit numerous organizations and the Qbot banking Trojan (also known as Qakbot, Quakbot, or PinkSlip) is the culprit. The financial malware was designed to target businesses and siphon money from bank accounts, while being able to spread like a worm by self-replicating through shared drives and removable media.
Discovered in 2009, the malware has received numerous improvements over time, but IBM’s Michael Oppenheim reveals that this is the first time the security team has observed Qbot causing AD lockouts in affected organizational networks. The current campaigns appear focused on U.S. business banking services, including treasury, corporate banking and commercial banking.
Although it features a worm component, the malware is a fully-functional banking Trojan, packed with “powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money,” Oppenheim says.
The threat features a modular design, is multithreaded, and includes components meant to steal online banking credentials, implement a backdoor, and create a SOCKS proxy. The malware also features extensive anti-research capabilities and can disable the security program on an endpoint, provided that it has admin privileges.
The malware also uses detection circumvention mechanisms that are different than those used by other threats in its class: “Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognizable,” Oppenheim explains.
Qbot uses a dropper for distribution, and usually uses delayed execution to evade detection. Following deployment, the dropper corrupts its file, and has its content overwritten by the legitimate Windows autoconv.exe command. It uses a Registry runkey and scheduled tasks to establish persistence.
In the recent attacks, the malware was also observed targeting Active Directory domains by performing three specific actions: it would lock out hundreds to thousands of accounts in quick succession; it would perform automated logon attempts, some launched using accounts that do not exist; it would deploy malicious executables to network shares and register them as a service.
“To access and infect other machines in the network, the malware uses the credentials of the affected user and a combination of the same user’s login and domain credentials, if they can be obtained from the domain controller (DC),” Oppenheim says.
Qbot either collects the username of the infected machine and uses it for lateral movement, or uses a list of hardcoded usernames instead. The Trojan uses three password schemes in its attempt to match usernames with various passwords. It also enumerates network shares of the target machine and attempts to copy itself to them.
Courtesy of man-in-the-browser (MitB) functionality, the malware can inject malicious code into online banking sessions, and fetches these scripts from the domain it controls. This allows the Trojan to display fake login pages to trick users into exposing their login credentials.
The threat is also able to steal user information such as keystrokes, cached credentials, digital certificates, HTTP(S) session authentication data, cookies (including authentication tokens and Flash cookies), and FTP and POP3 credentials.
It also sends to its server information about the system, IP address, DNS name, host name, username, domain, user privileges, OS version, network interfaces (address, netmask and status), installed software, credentials from the endpoint’s protected storage, account name and webserver credentials, connection type, POP3 username, server and password, and SMTP server and email addresses.
Meant to target the business banking sector, the malware is also known to have targeted organizations in the healthcare and education sectors, as its operators have added improvements to its code, to enhance persistence mechanisms, anti-AV and anti-research capabilities.
“Researchers believe that a closed, organized cybercrime gang with roots in Eastern Europe is responsible for QakBot,” Oppenheim says.
Due to long periods of inactivity, Qbot continues to be placed at the bottom of the top 10 list of the most active malware families, despite being one of the oldest threats in its category.