สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency

Report

Home > List all groups > List all tools > List all groups using tool QakBot

Threat Group Cards: A Threat Actor Encyclopedia

Tool: QakBot

Names	QakBot QuakBot QuackBot Qbot PinkSlip Pinkslipbot Oakboat
Category	Malware
Type	Banking trojan, Backdoor, Credential stealer, Tunneling, Worm, Botnet
Description	(IBM) Though well-known and familiar from previous online fraud attacks, QakBot continually evolves. This is the first time IBM X-Force has seen the malware cause AD lockouts in affected organizational networks. Although part of QakBot is known to be a worm, it is a banking Trojan in every other sense. QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.
Information	<https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/> <https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/> <https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/> <https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf> <https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html> <https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf> <https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html> <https://www.fortinet.com/blog/threat-research/deep-analysis-of-a-qbot-campaign-part-1> <https://www.fortinet.com/blog/threat-research/deep-analysis-qbot-campaign> <https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/> <https://www.bleepingcomputer.com/news/security/qbot-uses-windows-defender-antivirus-phishing-bait-to-infect-pcs/> <https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/> <https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot> <https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/> <https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/> <https://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html> <https://securelist.com/qakbot-technical-analysis/103931/> <https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html> <https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/> <https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html> <https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html> <https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/> <https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot> <https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails> <https://cofensestaging.wpengine.com/blog/qakbot-campaign-attempts-to-revive-old-emails> <https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/> <https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/> <https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques> <https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails> <https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/> <https://blog.talosintelligence.com/2022/07/what-talos-incident-response-learned.html> <https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html> <https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies> <https://asec.ahnlab.com/en/47785/> <https://asec.ahnlab.com/en/51282/> <https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/> <https://securelist.com/qbot-banker-business-correspondence/109535/> <https://blog.barracuda.com/2023/04/25/cybersecurity-threat-advisory--new-qbot-malware-delivering-campa/> <https://asec.ahnlab.com/en/52067/> <https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/> <https://blog.lumen.com/qakbot-retool-reinfect-recycle/> <https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis> <https://www.team-cymru.com/post/visualizing-qakbot-infrastructure> <https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory> <https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown> <https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a> <https://thehackernews.com/2023/12/qakbot-takedown-aftermath-mitigations.html> <https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/> <https://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352> <https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/>
MITRE ATT&CK	<https://attack.mitre.org/software/S0650/>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot>
AlienVault OTX	<https://otx.alienvault.com/browse/pulses?q=tag:Qakbot>

Last change to this tool card: 07 March 2024

Download this tool card in JSON format

All groups using tool QakBot

Changed	Name	Country	Observed
APT groups
	Mallard Spider	[Unknown]	2008-Dec 2020

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Report incidents

+66 (0)2-123-1227

[email protected]