The number of users attacked by the powerful banking Trojan QakBot in the first seven months of 2021 grew by 65% in comparison to the same period in 2020 and reached 17 316 users worldwide.
Banking Trojans, when they have successfully infected a targeted computer, allow cybercriminals to steal money from victims’ online banking accounts and e-wallets – which is why they are considered one of the most dangerous types of malware.
QakBot was identified as early as 2007 as one of the many banking Trojans. However, in recent years, QakBot’s developer has invested a lot into its development, turning this Trojan into one of the most powerful and dangerous among existing examples of this malware type.
In addition to functions that are quite standard for banking Trojans, like keylogging, cookie-stealing, passwords, and login grabbing, recent versions of QakBot have included functionalities and techniques allowing it to detect if it is running in a virtual environment.
The latter is often used by security solutions and anti-malware specialists to identify malware via its behaviour. Now, if the malware detects it’s running in a virtual environment, it can stop suspicious activity or stop functioning completely. In addition, QakBot tries to protect itself from being analysed and debugged by experts and automated tools.
The other new and unusual function spotted by Kaspersky researchers in recent versions of QakBot is its ability to steal emails from the attacked machine. These emails are later used in various social engineering campaigns against users in the victim’s email contact list.
“QakBot is unlikely to stop its activity anytime soon,” says Haim Zigel, malware analyst at Kaspersky. “This malware continuously receives updates and the threat actors behind it keep adding new capabilities and updating its modules in order to maximise the revenue impact, along with stealing details and information.
“Previously, we’ve seen QakBot being actively spread via the Emotet botnet. This botnet was taken down at the beginning of the year, but judging by the infection attempt statistics, which have grown in comparison to the last year, the actors behind QakBot have found a new way of propagating this malicious software.”