Barkly vs Malware
Jonathan Crowe
Jul 2017

Barkly vs. QakBot Banking Trojan

Photo by Brook Ward

Not only is the latest version of QakBot draining corporate bank accounts, it's also triggering massive disruption by locking companies out of their networks. Watch Barkly stop it before any damage is done.

In late May 2017, researchers at IBM X-Force responded to a series of severe security incidents that appeared to be related. Employees at several organizations had suddenly found themselves cut off from their computers, the company servers, and the network. As a result, business operations had ground to a halt. 

Upon investigation, it was determined the disruption was caused by a wave of Active Directory lockouts triggered by the latest variant of the QakBot banking trojan — a self-propagating piece of malware notorious for its ability to evade detection while spreading all over infected organizations and draining business bank accounts dry.

Fortunately, Barkly is able to block QakBot automatically, before it can do any damage (see it in action vs. QakBot in the video below, and learn how Barkly's protection works here).

Wistia video thumbnail - Barkly-vs-Ovidiy-Stealer

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


Though Barkly blocks it, this updated version of QakBot uses several malicious tactics that are advanced and worth diving into, so let's take a closer look.

What is QakBot and why is it dangerous?

QakBot is a banking trojan first discovered in 2009. According to researchers, it was the first banking trojan to exclusively target the business banking sector, and, eight years later, its primary goal continues to be taking over and draining company bank accounts.

How does it do that? Like other banking trojans, QakBot conducts a man-in-the-browser attack. Once it establishes a foothold on an infected device, QakBot bides its time then springs to life when that device's user visits a banking website. Using keylogging, webinjects (scripts designed to make visual changes to the banking site such as adding convincing pop-up forms, etc.), and other mechanisms, QakBot is capable of stealing the following:

  • user keystrokes
  • cached credentials
  • digital certificates
  • HTTP(S) session authentication data
  • Cookies, including authentication and Flash cookies
  • FTP and POP3 credentials

As if waking up to discover the company bank account has been hijacked isn't bad enough, this latest version of QakBot has also been causing a significant amount of business downtime and disruption by triggering Active Directory lockouts. Before we dive deeper into that, however, let's review how QakBot infections start, actively evade detection, and spread across victim networks. 

The tactics QakBot uses to infect companies and evade detection

QakBot attacks typically get initiated the same way the majority of malware infections do — by employees falling victim to exploit kits (via malvertising and drive-by downloads) or phishing emails. These interactions result in a dropper program being left on the employee's machine. The goal of the dropper is to make sure it hasn't landed on a virtual machine or in a sandbox, then reach out and grab the QakBot payload once it's determined the coast is clear.

Beginning with this dropper, QakBot has several tricks up its sleeve it uses to avoid being spotted and establish persistent footholds throughout the network.

  • Delayed execution: When the dropper lands on an endpoint it waits 10-15 minutes before doing anything in an attempt to avoid sandboxes. It then opens an instance of explorer.exe and injects the QakBot Dynamic Link Libraries (DLL) into that process. Lastly, it covers its tracks by overwriting the original contents of the dropper with the legitimate Windows autoconv.exe command.
  • Polymorphism: The QakBot payload itself has the ability to mutate rapidly. It can modify and even recompile its code completely on the fly, making it extremely difficult for antivirus programs to recognize and detect it. 
  • Self-replication: QakBot also has the ability to make copies of itself and move laterally like a worm, spreading through network shares and removable drives. 
  • Persistence: One of the most frustrating and damaging aspects of a QakBot infection for victims is its capacity for surviving system reboots and attempts to remove it. Not only does it create a registry entry to automatically launch itself each time the infected computer starts up, it also creates two recurring, scheduled tasks to ensure it's still running and hasn't been removed. The first periodically attempts to launch QakBot, while the second launches another downloader to grab the payload again. 

Spreading laterally and triggering account lockouts

Once it's set up shop on one machine, QakBot will try to infect others on the network via a variety of attempts at grabbing or cracking credentials.

First, it will see how far it can get with the infected user's username and password, then it will attempt to grab a list of the organization's usernames from the domain controller. If that attempt fails, QakBot will try to guess username/password combinations using a hardcoded list.


QakBot can attempt to guess passwords using a dictionary attack. Source: IBM X-Force

This is where the malware has the potential to trigger mass account lockouts, creating a disruptive nightmare for businesses. 

QakBot also attempts to propagate by enumerating network shares, dropping copies of itself on them, and creating a service to execute them.  

The importance of blocking QakBot infections before they take hold

The fact that QakBot has remained active all this time is a statement to its ability to evade detection, as well as its operators' commitment to keep it flying under the radar. It's been regularly updated with new releases, and is now considered to be one of the most advanced banking trojans currently active.

Unfortunately, thanks to its worm capabilities and variety of persistence mechanisms, removing a QakBot infection after-the-fact is notoriously difficult. That makes blocking it at the very outset of an attack crucial for avoiding mass disruption to business operations as well as the hijacking of business bank accounts. 

Barkly's runtime malware defense keeps companies safe from QakBot, even though its polymorphic features help it evade detection from traditional AV. Learn more about our new approach to endpoint protection here.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.