<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><strong><img src="https://info.threatstop.com/hubfs/computer%20alert.png" alt="Computer displaying a warning" style="display: block; margin-left: auto; margin-right: auto; width: 455px;" title="Computer displaying a warning" caption="false" data-constrained="true" width="455"></strong></p> <p><strong>Qakbot</strong>, also known as <strong>Qbot</strong>, is a network worm <a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf" target="_blank">targeting banking credentials</a>. It propagates by copying itself to network drives and infecting removable drives.</p> <!--more--> <p>First seen in 2009, researchers at Cylance most recently found&nbsp;<a href="https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html" target="_blank">thousands of infections by the malware</a>. They believe this sharp increase in infections could be linked to exploit kits like&nbsp;<strong><a href="https://blog.threatstop.com/rig-exploit-kit-takedown-operation-shadowfall" target="_blank">RIG EK</a></strong>.</p> <p>Upon infection with <strong>Qbot</strong>, computers will download a file from a speed test website, determining the amount of bandwidth available to it.</p> <p>It will contact the C&amp;C server and enumerate the installed software on the device, including the IP address of the infected network and whether the infected user has admin credentials.</p> <p>To&nbsp;<a href="https://resources.baesystems.com/pages/view.php?ref=39115&amp;k=46713a20f9" target="_blank">spread to password protected drives</a>, <strong>Qbot</strong> will initially attempt brute force using a short list of common passwords. If that fails, the malware will try to access cached passwords in Window's Credential Store and Internet Explorer's Password Manager.</p> <p>In order to avoid antivirus detection, it's <a href="https://threatpost.com/qbot-malware-morphs-quickly-to-evade-detection/117377/" target="_blank">continuously recompiled</a> after injecting random data into the binary template. This will create a "new" copy of the malware, hashed to different values.</p> <p>Specifically, this shows that just using hashes to prevent malware infection does not work. Cyber criminals continuously find different ways to evade anti-malware programs.</p> <p>The <a href="https://threatpost.com/qakbot-returns-locking-out-active-directory-accounts/126071/" target="_blank">latest version of the malware</a> aims to avoid sandbox-based detection by waiting 10 to 15 minutes before executing. This update has been seen locking victims out of Active Directory accounts after repeated brute force attempts. Too many failed authentications leave employees unable to access<a href="https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/" target="_blank"> their computers and company servers</a>.</p> <p>The latest campaign is primarily focused on banking industries in the United States, but has also been seen targeting pharmaceutical businesses and companies in the technology sector.</p> <p>To add protection against <strong>Qbot </strong>we recommend enabling the following targets:</p> <ul> <li>Standard mode <ul> <li>TS Curated - Core Tier 1 - IPs</li> <li>TS Curated - Botnets Tier 1 - Domains</li> <li>TS Curated - Botnets Tier 1 - IPs</li> </ul> </li> <li>Expert mode&nbsp;<span>(included in the curated targets for standard mode)</span> <ul> <li>TS Originated - Core Threats - IPs&nbsp;</li> <li>TS Originated - Core Threats - Domains&nbsp;</li> </ul> </li> </ul> <p>If you do not have a ThreatSTOP account, for a free trial.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to a <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Firewall policies are available on the ThreatSTOP Documentation Hub. Or, contact our&nbsp; team.</p></span>
![ChinaNet IP 14.135.120[.]19 has one heck of a bad reputation](https://www.threatstop.com/hs-fs/hubfs/chinanet_ip_targets.png?width=600&name=chinanet_ip_targets.png)
