One Article Review
| Source |  Infosec Island |
|---|---|
| Identifiant | 1097689 |
| Date de publication | 2019-05-06 12:11:00 (vue: 2019-05-06 20:01:40) |
| Titre | Qakbot Trojan Updates Persistence, Evasion Mechanism |
| Texte | The Qakbot banking Trojan has updated its persistence mechanism in recent attacks and also received changes that potentially allow it to evade detection, Talos' security researchers say. Also known as Qbot and Quakbot, the Trojan has been around for nearly a decade, and has received a variety of changes over time to remain a persistent threat, although its functionality remained largely unaltered. Known for the targeting of businesses to steal login credentials and eventually drain their bank accounts, the malware has received updates to the scheduled task it uses to achieve persistence on the infected systems, which also allows it to evade detection. The Trojan typically uses a dropper to compromise a victim's machine. During the infection process, a scheduled task is created on the victim machine to execute a JavaScript downloader that makes a request to one of several hijacked domains. A spike in requests to these hijacked domains observed on April 2, 2019 (which follows DNS changes made to them on March 19) suggests that the threat actor has made updates to the persistence mechanism only recently, in preparation for a new campaign. The downloader requests the URI "/datacollectionservice[.]php3." from the hijacked domains, which are XOR encrypted at the beginning of the JavaScript. The response is also obfuscated, with the transmitted data saved as (randalpha)_1.zzz and (randalpha)_2.zzz and decrypted using a code contained in the JavaScript downloader. At the same time, a scheduled task is created to execute a batch file. The code reassembles the Qakbot executable from the two .zzz files, using the type command, after which the two .zzz files are deleted. The changes in the infection chain make it more difficult for traditional anti-virus software to detect attacks, and the malware may easily be downloaded onto target machine, given that it is now obfuscated and saved in two separate files. “Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it,” Talos concludes. Related: Qakbot, Emotet Increasingly Targeting Business Users: Microsoft Related: Qbot Infects Thousands in New Campaign |
| Envoyé | Oui |
| Condensat | /datacollectionservice 2019 accounts achieve actor after allow allows also although anti april are around attacks bank banking batch because been beginning binary business businesses campaign chain changes code command compromise concludes contained could created credentials data decade decrypted deleted detect detection difficult dns domains downloaded downloader drain dropper during easily emotet encrypted evade evasion eventually executable execute file files focused follows from full functionality given has hijacked increasingly infected infection infects its javascript known largely likely login machine made make makes malicious malware march may mechanism mechanisms microsoft miss more nearly new now obfuscated observed one only onto over persistence persistent php3 point potentially preparation process products qakbot qbot quakbot randalpha reassembles received recent recently related: remain remained request requests researchers response same saved say scheduled security seeing separate several software some spike steal suggests systems talos target targeting task them these thousands threat time traditional transfer transmitted trojan two type typically unaltered update updated updates uri users: uses using variety version victim virus which will would xor zzz “detection |
| Tags | Malware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.