Recent insights from cybersecurity researchers have provided a deeper understanding of the Qakbot banking trojan’s methods for embedding encrypted configuration data into the Windows Registry. This malware, also known by other aliases including QBot, QuackBot, and Pinkslipbot, has been present since 2007, initially designed for information theft but evolving to facilitate complex attack frameworks, including the deployment of ransomware via platforms like Cobalt Strike Beacon.
Qakbot showcases an impressive trajectory of development, introducing tactics such as lateral movement, email and browser data exfiltration, and the installation of supplementary malware post-infection. According to Trustwave researchers Lloyd Macrohon and Rodel Mendrez, the malware’s capabilities have been continuously upgraded, indicating a rather sophisticated operational maturity.
Phishing campaigns have increasingly involved the distribution of a new loader known as SQUIRRELWAFFLE, which serves as a conduit for delivering more advanced payloads, including those associated with Qakbot. This trend highlights the adaptive nature of cyber threats where tactics continually evolve to exploit weaknesses in endpoint security.
The latest variants of Qakbot have advanced to hijacking email and browser data, as well as inserting encrypted configuration data into the registry instead of utilizing traditional file storage methods. This strategy serves as an effort to minimize the digital footprint of the malware while complicating detection mechanisms. As Hornetsecurity’s researchers noted, while these newer approaches don’t achieve a fully fileless execution, they do significantly lower the likelihood of detection by traditional security measures.
Trustwave’s research focuses on deciphering the process by which Qakbot encrypts its configuration data within the registry. The encryption involves a unique key derived from the computer’s name, the volume serial number, and the user account name. This data is then hashed and salted, incorporating a one-byte identifier. The resulting SHA1 hash is subsequently utilized as a key for decrypting registry data using the RC4 algorithm. Researchers have made available a Python-based utility that enables the decryption of these configurations, further emphasizing the complexity and sophistication of the Qakbot operation.
