QakBot Returns, Locking Out Active Directory Accounts

QakBot, a worm-like, information-stealing strain of malware is back and locking users out of their Active Directory accounts.

QakBot, a worm-like strain of information-stealing malware that’s been around since 2009, has resurfaced again.

The malware has been a thorn in the side of administrators as of late. After a recent stretch of inactivity, researchers now link a rash of recent Microsoft Active Directory lockouts to QakBot.

Active Directory, Microsoft’s directory server, allows admins to control networks from a single location. Admins typically use the database to authenticate and authorize users.

The lockouts, which occurred last week, are a first for the malware and have left users unable to access endpoints, company servers and networked assets on affected domains, said Michael Oppenheim, Kevin Zuk, Matan Meir, and Limor Kessem, six researchers with IBM’s X-Force Research team, on Friday.

The latest iteration of the malware has been spreading through endpoints via a dropper that waits 10 to 15 minutes to execute in hopes of evading detection from sandboxes or anti-virus systems. The dropper opens an executable, injects a .DLL, and overwrites the original file. From there the dropper downloads the QakBot’s payload.

The malware has exhibited worm-like tendencies in the past, such as being able to self-replicate via shared drives and removable media. This time around QakBot has been spreading through networks – and ultimately locking users out of their accounts – by cycling through user and domain credentials. The malware pairs logins with different password guessing schemes, including one that guesses passwords by using words in the dictionary.

“QakBot may collect the username of the infected machine and use it to attempt to log in to other machines in the domain. If the malware fails to enumerate usernames from the domain controller and the target machine, the malware will use a list of hardcoded usernames instead,” the researchers said in a blog post Friday.

Researchers say the dictionary-style attack has been successful and believe it’s responsible for the account lockouts.

“Under certain domain configurations, the malware’s dictionary attack for accessing the target machines can result in multiple failed authentication attempts, which eventually trigger an account lockout,” the researchers say.

The malware has proved adept at evading detection before and remains as persistent as ever, the researchers say. It survives system reboots and removal attempts by using a Registry runkey and scheduled tasks. The key makes it so the malware can automatically launch after each startup. The scheduled task – programmed in schtasks.exe – makes it so Qakbot can run on timed intervals, the researchers say.

QakBot’s persistence was blamed for a compromise at two Massachusetts state government offices, the Department of Unemployment Assistance and the Department of Career Services, in 2011. The offices said it was possible the malware, W32,QAKBOT, siphoned off individuals’ names, social security numbers, employer identification numbers and email addresses.

“W32.QAKBOT may have impacted as many as 1,500 computers housed in DUA and DCS including the computers at the One-Stop Career Centers,” the offices said at the time.

The malware was also linked to a hack at investment and insurance company, The Hartford, in 2011 after a handful of servers used by employees for remote access to IT systems were hit.

Mike Oppenheim, Global Research Lead for IBM X-Force IRIS, told Threatpost Monday that while the bulk of the incidents the researchers have observed have hit the healthcare and tech industry, they don’t believe that any particular industry is being targeted.

“The targeted organizations and the lion’s share of banking targets are located in the US,” Oppenheim added.

This time around the lockouts are simply a side effect of the malware. QakBot, perhaps better known as a banking Trojan, hasn’t lost its knack for pilfering bank logins, researchers say.

The malware still has several mechanisms that can help it piggyback onto victim’s banking sessions. The malware uses a man-in-the-browser functionality to inject malicious code from a domain the attacker controls and inject it into online banking sessions. The injects can assist attackers in the theft of user keystrokes, cached credentials, digital certificates, and session authentication data.

The lockouts and banking attacks proceed the same way, according to Oppenheim.

“In both cases the malware arrived through a malicious link in phishing email” Oppenheim said.

“One thing to keep in mind, this is a sophisticated criminal organization and we have seen hundreds of compromised devices communicating with their Command and Control. This group is looking to infect as many machines as possible. With their enormous quantity of hacked infrastructure, the C2s are churning out new, slightly tweaked, variants of QakBot by the hour to increase their financial return.”

The malware has been making the rounds for nearly eight years now and doesn’t seem to be going away anytime soon.

Researchers with BAE Systems said last April that QakBot, also known as Qbot, was responsible for 55,000 infections, with 85 percent of those affecting U.S.-based systems. Adrian Nish, head of cyber threat intelligence at BAE Systems, told Threatpost at the time that attackers were constantly recompiling code and repacking it to thwart detection.

“The authors behind Qbot are re-scrambling the code everyday along with repacking it. One day an antivirus scan may be able to spot it, the next day it won’t,” Nish said.

Researchers at IBM on Friday also attributed the malware’s stealthiness to its developers, believed to be based in Eastern Europe, who take it offline from time to time to fine tune QakBot’s code, persistence mechanisms, anti-AV and anti-research capabilities.

The attackers’ inactivity is a conscious decision, “likely in an attempt to keep attacks to a minimum and avoid law enforcement,” the researchers said.

Suggested articles