Labs - Malware Analysis

Ransomware ProLock Uses the QakBot Banking Trojan to Infect Users

Written by David García | Jun 1, 2020 10:36:14 AM

QakBot is a banking Trojan that is considered to be the updated version of the banking Trojan known as QBot. QBot was detected in 2009 and ten years later, in early 2019, Varonis researchers found a new variant of the malware that is currently known as QakBot.

This banking Trojan includes components to record keystrokes, allowing users' credentials to be stolen for later use in committing fraud. In addition to logging keystrokes, it also allows "hooks" to be installed in browser processes, which are used to intercept communications made between the browser and the bank's web server, thus being able to steal its victims' credentials and login data.

This banking Trojan has recently made headlines, but not because of its banking Trojan functionality, but rather because developers of the ProLock ransomware have used this Trojan to infect their entire botnet of infected systems.

As has occurred with other banking Trojans that have been converted to serve as a "dropper" for other types of malware (generally ransomware), such as Emotet or TrickBot, QakBot seems to be initiating its conversion to a "dropper".

 

QakBot as a banking Trojan

QakBot's use as a banking Trojan is typical of this type of malware. Attackers look to steal credentials through keystroke logging. Although this is not the only strategy used to achieve the ultimate goal of money theft.

In addition to the keylogger feature, this Trojan is also capable of injecting its own code into the browsers used by users in order to implement hooks to intercept browser communications with the banks' servers. This allows the malware to obtain login and session credentials.

To avoid detection by the user, it uses malicious code injection in other processes besides the browser to steal credentials.

Specifically, QakBot samples usually launch a new Windows explorer process (explorer.exe), in which the main malicious code is injected, in charge of establishing the first communication with the control server and, subsequently, the necessary injections in the browsers to then steal victims' credentials.

Running a new "explorer.exe" process with malicious code

As for the distribution of this Trojan, its authors use fraudulent emails, which include attached documents. Said documents carry malicious macros that are run when said documents are opened in Microsoft Office. These macros allow the attacker to download the final payload of the malware from the control server and run it, leading to its installation in the %APPDATA% folder on the infected computer.

Installation in %APPDATA%

To achieve persistence and initiate the malware with every startup, QakBot uses the "Run" key in the (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) registry.

Persistence in the registry's "Run" key

 

QakBot as a ProLock dropper

In addition to being a banking Trojan, the authors of ProLock appear to be using this malware to infect computers with ransomware that are already infected with QakBot. In the latest infections of this ransomware, its developers are not only relying on the "banker", but are also infecting computers with insecure configurations and/or weak Remote Desktop Protocol (RDP) passwords.

The developers of this ransomware have used the network of computers infected with QakBot to infect their victims.

As a ransom for the encrypted files, ProLock asks for a total payment of 35 Bitcoins, which at the current exchange rate would be about $312,000.


ProLock ransom note


Conclusions

QakBot and ProLock are just another example of how malware developers are gradually becoming interested in ransomware development, which today is one of the types of malware that seems to obtain the greatest benefits with the least amount of effort.

A minimum amount of technical skills are required to develop a banking Trojan to steal credentials and money in order to successfully commit fraud.

Relatively complex techniques must be used, such as code injection in other processes (for example, browsers). In addition, today's security measures make it more difficult to commit fraud, since transactions must be authorised with single-use codes that are sent to a mobile device (2FA).

However, developing ransomware is as simple as developing software that encrypts files. After encryption, you only need to ask the user for an amount of money and wait to receive it.

The fight against banking malware continues and will continue long into the future, and we must be prepared to detect and neutralise this type of malware, protecting our users.

However, fraud schemes are constantly changing at the same time as new ways of obtaining the greatest benefits with the least amount of effort are being discovered.