Cybersecurity experts have cracked the code that allows the Qakbot trojan to insert encrypted configuration data in the Windows Registry ..
Qakbot, also known as QBot, QuackBot and Pinkslipbot, has been observed in the wild since 2007. Although mainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new functionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of loading ransomware on infected machines.
“It has been continually developed, with new capabilities introduced such as lateral movement, the ability to exfiltrate email and browser data, and to install additional malware,” Trustwave researchers Lloyd Macrohon and Rodel Mendrez said in a report shared with The Hacker News.
In recent months, phishing campaigns have culminated in the distribution of a new loader called SQUIRRELWAFFLE, which acts as a channel to retrieve final-stage payloads such as Cobalt Strike and QBot.
Newer Qakbot versions have the capability to steal email and browser information, as well insert encrypted configuration information about the malware in the registry. This is part of Qakbot’s attempts to erase all trace of infection.
“While QakBot is not going fully fileless, its new tactics will surely lower its detection,” Hornetsecurity researchers pointed out in December 2020.
Trustwave will analyze the malware to decrypt it. The cybersecurity firm noted that the registry key key is generated from the combination of the computer name and volume serial numbers, as well as the username and password. This key is used to encrypt registry key data.
“The SHA1 hash result will be used as a derived key to decrypt the registry key value data respective to the ID using the RC4 algorithm,” the researchers said, in addition to making available a Python-based decryptor utility that can be used to extract the configuration from the registry.