When the QakBot rings twice

It is not always nice to see old friends again. Especially not when they ring the doorbell at half past five in the morning, rummage through your entire house and then let in a whole gang of acquaintances who rob you. One way or another, the Malware QakBot – also known as QBot or Pinkslipbot, which was first discovered in 2007 and has been reappearing in increasing numbers for several months.

QakBotstarted out as a banking Trojan including a keyloggerand now mainly appears as a so-calledInfostealer , which spreads via spam emails and is bundled with or downloads other malware. Since January 2020, the main target was primarily the healthcare sector in the USA, but other sectors in other countries were and are also affected.

The two facesofQakBot

QakBothas so far appeared in two different ways.

On the one hand, QakBotis bundled woth corrupted Microsoft Office attachmentsthat are used to launch attacks on the affected companies.QakBotfirst installs itself into tempfiles and network folders replicates and creates autostart entries.

Among other things, the latter creates a task that executes the malicious code daily at 5:33 a.m. and then deletes it again. This malicious code reads out the IP address, host name, user name, operating system version and bank data..Using WebInject, a tool that was actually developed for automated testing of web applications, QakBot then interferes with the communication between the infected computer and banking websites and retrieves the user data.

On the other hand QakBot worksin combination with the Ransomware ProLockwhereby QakBot serves as a door opener in this case. QakBot connects to a hijacked mailbox and exploits the emails and contacts contained there by sending individual replies to the senders. Similar to Emotet, QakBot interferes with existing communication processes, which makes it especially difficult to detect the attacks.

QakBot-contaminated Emails contain links pointing to compromised websites from which contaminated files are then downloaded. Running these files will then download the ransomware using PowerShell. More precisely, the ransomware is extracted from a supposed BMP, PNG or JPG file and again loaded into memory via PowerShell.

The criminals react quickly

This happened atDiebold Nixdorf a service provider and manufacturer of IT systems for banks and retail companies, ATMs and POS systems, which fell victim toQakBotand ProLockin April 2020.

The reaction speed of the criminals is also particularly impressive : If in the beginning /wpcontentpaths were used, these were – obviously after adjustments to spam filters – last not used anymore. Also with This is also responded quickly and flexiblyto the spam filters’ counter-reaction in terms of file names and types, for example by switching from VBSfiles to Word macros and back again.

How can you protect yourself from QakBot?

As with Emotet, the attacks by QakBot are so perfidious because they refer to previous conversations and authentic-looking answers are written. A comprehensive sensitization of employees is therefore the first step to prevent the success of such attacks and to protect your company.

This is particularly important because the quality of fake Emails is constantly improving and they are becoming more and more homogeneous in existing communication processes. This is the only way to prevent “quick clickers” from infecting entire IT infrastructures with malware or ransomware by opening files in an imprudent manner.

Nevertheless, it is essential to use a powerful Email firewall for the protection against spam and malware that fends off dangers from the outset. NoSpamProxy offers numerous features that protect you from attacks with malware such as QakBot or Emotet.

It doesn’t work without an Email firewall

An example of this is the URL Safeguard, whichallows URLs in incoming Emails to be rewritten or blockedand checks theURL each time it is clicked onby, the user to see if it leads to a malicious target. If the URL is classified as dangerous, access is blocked. Blocked URLs can be released again by the administrator; until then, even the above-mentioned quick-clickers cannot cause any damage.

The reputation filter evaluates the sender’s reputation by checking SPF, DKIM and DMARC entries and rejects ake Emails in the vast majority of cases – o matter how well the e-mail is done visually and in terms of content.

The content filter in NoSpamProxy in turn offers the option of blocking certain file types such as executable filesor Word documents with macros, converting all Word, Excel and PDF files into harmless PDFs using Content Disarmand Reconstruction (CDR) or rejecting the entire e-mail.

Reliable protection against QakBot – with NoSpamProxy

With NoSpamProxy you can reliably protect your company from QakBot, Emotet and other malware. Additional functions for email encryption ensure that your entire Email communication is completely secure. Request your trial now!