Malware QakBot is a network worm that is self-replicating primarily through shared drives or mobile devices. The malware mainly for corporate bank accounts to steal user funds and private data, such as: digital certificates, cache credentials, HTTP (S) session authentication data, Cookie, authentication token and FTP, POP3 login credentials. Recently, QakBot was found against US government agencies, banks to carry out offensive activities, including the US National Treasury, corporate banking and commercial banks.
The survey showed that malware QakBot, in addition to using a special detection mechanism to circumvent the sandbox, also used dropper to execute explorer.exe and automatically injected the QakBot dynamic link library (DLL) in the process to destroy its original file propagation malware.
Security experts say the bank’s malware QakBot can also use the C & C server’s specific orders to keep up-to-date in order to spread over the target network. In addition, QakBot can exploit the “Man-in-the-Browser, MitB” attack to inject malicious code into an online bank session to get the script through the controlled domain name.