Home / malware Backdoor:Win32/Qakbot.T
First posted on 12 February 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Qakbot.T.
Explanation :
Installation
This threat can be installed by exploit kits, such as Sweet Orange. It can also spread using infected network and removable drives, such as USB flash drives. It installs a copy of itself on all accessible drives and network shares, using a random file name. The dropped copy can be run remotely.
The trojan is installed along with a dynamic link library (DLL) file that contains encrypted configuration data to %APPDATA%\Microsoft\\ . The folder and file names are the same, for example:
- %APPDATA% \Microsoft\ypoplkc\ypoplkc.exe
- %APPDATA% \Microsoft\ypoplkc\ypoplkc.dll
Registry modifications
The maware creates the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data: "%APPDATA%\Microsoft\\ "
The malware installs itself as a Windows service by modifying the following registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\
Sets value: "Type"
With data: dword:00000010
Sets value: "Start"
With data: dword:00000002
Sets value: "ErrorControl"
With data: dword:00000000
Sets value: "ServiceName"
With data: ""
Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"
Sets value: "DependOnService"
With data: "Dnscache"
In subkey: HKLM\SYSTEM\CurrentControlSet\services\
Sets value: "ObjectName"
With data: "LocalSystem"
It also modifies the following registry entries to lower your Internet security settings:
In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\2
Sets value: "2500"
With data: dword:00000003
In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\3
Sets value: "2500"
With data: dword:00000003
The trojan can create a shortcut file in the Startup folder that links back to its copy.
Payload
Allows backdoor access and control
This threat contacts a remote server to receive commands from a malicious hacker. Once connected, the malicious hacker can command the trojan to do a number of things, including:
- Collect information about your PC
- Check for new malware version
- Download and run files, such as a malware update
- Login to FTP sites using stolen credentials
- Download collected data
- Detect which antivirus program you have on your PC
- Detect whether it is running in a virtual machine and/or honeypot
- Stop processes by process ID (PID) or string matching
- Log keystrokes
- Load a specified configuration file
- Steal email user names and passwords
- Steal POP3 and FTP credentials
- Collect your cookies and digital certificates
- Delete your cookies
- Infect removable drives
- Infect accessible network shares
- Contact a SOCKs server
Steals your banking information
A malicious hacker can also tell the trojan to steal your online banking information. The trojan watches to see if you visit any URLs that include the following strings:
- web-access.com
- webcashmgmt.com
- /achupload
- /cashman/
- /cashplus/
- /clkccm/
- /cmserver/
- /corpach/
- /ibws/
- /payments/ach
- /stbcorp/
- /wcmpr/
- /wcmpw/
- /wcmtr/
- /wires/
- /wiret
- access.jpmorgan.com
- accessonline.abnamro.com
- achbatchlisting
- bankeft.com
- blilk.com
- business-eb.ibanking-services.com
- businessaccess.citibank.citigroup.com
- businessbankingcenter.synovus.com
- businessinternetbanking.synovus.com
- businessonline.huntington.com
- businessonline.tdbank.com
- cashproonline.bankofamerica.com
- cbs.firstcitizensonline.com
- chsec.wellsfargo.com
- cmol.bbt.com
- commercial.bnc.ca
- commercial.wachovia.com
- commercial2.wachovia.com
- commercial3.wachovia.com
- commercial4.wachovia.com
- corporatebanking
- cpw-achweb.bankofamerica.com
- ctm.53.com
- directline4biz.com
- directpay.wellsfargo.com
- e-facts.org
- e-moneyger.com
- each.bremer.com
- ebanking-services.com
- express.53.com
- firstmeritib.com
- firstmeritib.com/defaultcorp.aspx
- goldleafach.com
- iachwellsprod.wellsfargo.com
- ibc.klikbca.com
- iris.sovereignbank.com
- itreasury.regions.com
- itreasurypr.regions.com
- jsp/mainWeb.jsp
- ktt.key.com
- moneymanagergps.com
- netconnect.bokf.com
- nj00-wcm
- ocm.suntrust.com
- onlineserv/CM
- otm.suntrust.com
- paylinks.cunet.org
- premierview.membersunited.org
- providentnjolb.com
- scotiaconnect.scotiabank.com
- securentrycorp.amegybank.com
- securentrycorp.zionsbank.com
- singlepoint.usbank.com
- svbconnect.com
- tcfexpressbusiness.com
- tmcb.zionsbank.com
- tmconnectweb
- treas-mgt.frostbank.com
- treasury.pncbank.com
- trz.tranzact.org
- tssportal.jpmorgan.com
- wc.wachovia.com
- wcp.wachovia.com
- web-cashplus.com
- webexpress.tdbank.com
- wellsoffice.wellsfargo.com
If you visit one of these banking websites the malware can monitor the communication and capture your sensitive information, such as your user name and password.
Sends stolen data to a malicious hacker
This threat can send the information it collects from your PC back to a remote server via HTTP or FTP. We have seen it connect to the following servers:
- 85.114.135.19 using TCP/8080
- 213.239.202.52 using TCP/65400
Blocks access to security websites
The malware hooks several APIs to monitor system events related to its information stealing routines. It can then block access to some security-related websites. We have seen it hooks the following APIs:
- advapi32.dll!RegEnumValueW
- advapi32.dll!RegEnumValueA
- dnsapi.dll!DnsQuery_A
- dnsapi.dll!DnsQuery_W
- iphlpapi.dll!GetTcpTable
- iphlpapi.dll!AllocateAndGetTcpExTableFromStack
- kernel32.dll!GetProcAddress
- kernel32.dll!FindFirstFileA
- kernel32.dll!FindNextFileA
- kernel32.dll!FindFirstFileW
- kernel32.dll!FindNextFileW
- ntdll.dll!NtQuerySystemInformation
- ntdll.dll!NtResumeThread
- ntdll.dll!LdrLoadDll
- wininet.dll!HttpOpenRequestA
- ininet.dll!HttpOpenRequestW
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestW
- ninet.dll!HttpSendRequestExW
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFileExA
- wininet.dll!InternetWriteFile
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!HttpOpenRequestA
- wininet.dll!HttpOpenRequestW
- ws2_32.dll!connect
- ws2_32.dll!send
- ws2_32.dll!WSASend
- ws2_32.dll!WSAConnect
- user32.dll!GetClipboardData
- user32.dll!CharToOemBuffA
- user32.dll!TranslateMessage
We have seen it block the following security-related websites:
- Agnitum
- Ahnlab
- Arcabit
- Avast
- Avg
- Avira
- Avp
- Bit9
- Bitdefender
- Castlecops
- Centralcommand
- Clamav
- Clearclouddns
- Comodo
- Computerassociates
- Cpsecure
- Defender
- Download.microsoft
- Drweb
- Emsisoft
- Esafe
- Eset
- Etrust
- Ewido
- Explabs
- F-prot
- F-secure
- Fortinet
- Gdata
- Grisoft
- Hacksoft
- Hauri
- Hautesecure.com
- Ikarus
- Jotti
- KI7computing
- Kaspersky
- Malware
- Mcafee
- Networkassociates
- Nod32
- Norman
- Norton
- Panda
- Pctools
- Phishtank.com
- Prevx
- Quickheal
- Rising
- Rootkit
- Sanasecurity
- Securecomputing
- Sophos
- Spamhaus
- Spyware
- Sunbelt
- Symantec
- Threatexpert
- Threatfire
- Trendmicro
- Truste.com
- Update.microsoft
- Virus
- Webroot
- Wilderssecurity
- Windowsupdate
Additional information
- Proofpoint blog: How to steal access to over 500,000 bank accounts: The insider view of a Russian cybercrime infrastructure
- Microsoft Malware Protection Center Threat Report - Qakbot
- Implement strict provisioning and administration practices
- W32/Pinkslipbot threat advisory
Analysis by Rex PlantadoLast update 12 February 2016
