QakBot Returns with Evasive Tactics, Posing Renewed Threat

Thought to be neutralized last year, the notorious QakBot malware has re-emerged with updated techniques designed to evade detection and re-establish itself as a potent force in the threat landscape. Security analysts at Binary Defense have dissected a recent QakBot campaign, revealing new anti-analysis tricks and an innovative persistence mechanism.

QakBot, also known to the cyber underworld as QBot, was originally unleashed as a banking trojan. Its capabilities quickly evolved, demonstrating a disturbing proficiency in reconnaissance, data exfiltration, and the deployment of secondary payloads such as ransomware. QakBot’s primary method of infection has traditionally been phishing campaigns, adeptly manipulating human error to breach security defenses.

New phishing campaign | Image: Binary Defense

The botnet’s reign of digital terror was temporarily curtailed in late 2023 through Operation Duck Hunt, an international law enforcement effort that neutralized QakBot’s servers. This operation not only disrupted QakBot’s activities but also helped identify over 700,000 computers entangled within its vast network. However, like a phoenix rising from the ashes, QakBot has resurfaced, sporting enhancements aimed at evading detection and ensuring its survival in the infected hosts.

The latest iteration of QakBot showcases minor tweaks in its code and a novel approach to persistence, leveraging the srtasks.exe Windows process. This method aims to safeguard the malware’s presence even after the infected host undergoes restoration, a cunning tactic that illustrates the malware authors’ adaptability and focus on long-term infiltration.

Recent phishing campaigns have also seen QakBot masquerading as an IRS employee—a theme strategically chosen to exploit the anxieties of tax season. Although initially targeting the hospitality sector, the specificity of these attacks suggests a calculated attempt to refine its approach, potentially paving the way for broader, more devastating campaigns.

The reimagined QakBot employs a range of technical maneuvers designed to thwart analysis and detection. By utilizing Windows’ legitimate srtasks.exe process, the malware crafts a facade of legitimacy, making it challenging for users and security software to discern its malicious nature. The use of a bogus Adobe Reader installation window as a diversion further exemplifies QakBot’s sophisticated deception tactics.

One of the most intriguing aspects of this new variant is its use of the system’s restore points, a strategy not previously observed in QakBot campaigns. By embedding itself within the “Install” type restore point, cunningly described as an “Adobe Installation” in Russian, QakBot ensures its persistence, ready to spring back to life even after apparent removal.

QakBot’s resurgence is a sobering reminder of the adaptability of cybercriminal operations. As this malware family continues to refine its tactics, staying vigilant and proactive is crucial to mitigate the risks it poses.