1. Overview
QakBot (also known as QBot, QuakBot, Pinkslipbot)
is one of the famous Banking Trojan
with the main task to steal banking credentials, online banking session
information, or any other banking data. Although detected by anti-virus
software vendors since 2008, but util now it’s still operating and keep continuously
maintained by the gangs behind it. Qakbot continuously evolves by applying advance
or new techniques to evade detection and avoid reverse analysis, making
analysis more difficult. In recent reports, it could be used to drop other
malware such as ProLock,
Egregor
ransomware.
Qakbot
can be distributed via Emotet,
however Emotet has been taken down recently, currently this malware uses email spam and phishing
campaigns as main method. Unlike Emotet that uses MS-Word in conjunction with
VBA to download malicious payload, Qakbot uses MS-Excel with the support of Excel 4.0 Macro (XLM macro) to download and execute malicious payload on the
victim's computer.In
this article, we will analyze how QakBot infects after launched by malicious
Excel document, the techniques used to make the analysis difficult, and how to
extract the C2 list. QakBot’s persistence can not be detected at runtime, the
run key only created before system shutdown or enter suspended state, and
deleted immediately after QakBot is executed again. Qakbot also applied
encryption techniques to conceal information, as well as encrypt the payload on
memory.
