20th September 2021: The number of users attacked with QakBot – a powerful banking Trojan, in the first seven months of 2021 grew by 65% in comparison to the same period in 2020 and reached 17,316 users worldwide, demonstrating that this threat is increasingly affecting internet users. This rise has drawn the attention of Kaspersky researchers to the subject, leading them to review updates to the latest version of this Trojan.
Banking Trojans, when they have successfully infected a targeted computer, allow cybercriminals to steal money from victims’ online banking accounts and e-wallets – which is why they are considered one of the most dangerous types of malware. QakBot was identified as early as 2007 as one of the many banking Trojans. However, in recent years, QakBot’s developer has invested a lot into its development, turning this Trojan into one of the most powerful and dangerous among existing examples of this malware type.
In addition to functions that are quite standard for banking Trojans, like keylogging, cookie-stealing, passwords, and login grabbing, recent versions of QakBot have included functionalities and techniques allowing it to detect if it is running in a virtual environment. The latter is often used by security solutions and anti-malware specialists to identify malware via its behaviour. Now, if the malware detects it’s running in a virtual environment, it can stop suspicious activity or stop functioning completely. In addition, QakBot tries to protect itself from being analysed and debugged by experts and automated tools.
The other new and unusual function spotted by Kaspersky researchers in recent versions of QakBot is its ability to steal emails from the attacked machine. These emails are later used in various social engineering campaigns against users in the victim’s email contact list.
“QakBot is unlikely to stop its activity anytime soon. This malware continuously receives updates and the threat actors behind it keep adding new capabilities and updating its modules in order to maximise the revenue impact, along with stealing details and information. Previously, we’ve seen QakBot being actively spread via the Emotet botnet. This botnet was taken down at the beginning of the year, but judging by the infection attempt statistics, which have grown in comparison to the last year, the actors behind QakBot have found a new way of propagating this malicious software”, said Haim Zigel, malware analyst at Kaspersky.
Kaspersky security solutions successfully detect and block all known versions of the QakBot banking Trojan.
Learn more about QakBot on Securelist.
To stay safe from financial threats like QakBot, Kaspersky experts recommend that you:
- Do not follow links in spam messages nor open documents attached to them.
- Use online banking with multifactor authentication solutions.
- Make sure all of your software is updated – including your operating system and all software applications (attackers exploit loopholes in widely used programs to gain entry).
- Use a trusted security solution that can help you check the security of the URL you’re visiting and open any site in a protected container to prevent theft of sensitive data (like financial information).