ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool QakBot

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: QakBot

NamesQakBot
QuakBot
QuackBot
Qbot
PinkSlip
Pinkslipbot
Oakboat
CategoryMalware
TypeBanking trojan, Backdoor, Credential stealer, Tunneling, Worm, Botnet
Description(IBM) Though well-known and familiar from previous online fraud attacks, QakBot continually evolves. This is the first time IBM X-Force has seen the malware cause AD lockouts in affected organizational networks.

Although part of QakBot is known to be a worm, it is a banking Trojan in every other sense. QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.
Information<https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/>
<https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/>
<https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/>
<https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf>
<https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html>
<https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf>
<https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html>
<https://www.fortinet.com/blog/threat-research/deep-analysis-of-a-qbot-campaign-part-1>
<https://www.fortinet.com/blog/threat-research/deep-analysis-qbot-campaign>
<https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/>
<https://www.bleepingcomputer.com/news/security/qbot-uses-windows-defender-antivirus-phishing-bait-to-infect-pcs/>
<https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/>
<https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot>
<https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/>
<https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/>
<https://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html>
<https://securelist.com/qakbot-technical-analysis/103931/>
<https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html>
<https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/>
<https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html>
<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>
<https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/>
<https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot>
<https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails>
<https://cofensestaging.wpengine.com/blog/qakbot-campaign-attempts-to-revive-old-emails>
<https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/>
<https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/>
<https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques>
<https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails>
<https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/>
<https://blog.talosintelligence.com/2022/07/what-talos-incident-response-learned.html>
<https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html>
<https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies>
<https://asec.ahnlab.com/en/47785/>
<https://asec.ahnlab.com/en/51282/>
<https://www.bleepingcomputer.com/news/security/new-qbot-email-attacks-use-pdf-and-wsf-combo-to-install-malware/>
<https://securelist.com/qbot-banker-business-correspondence/109535/>
<https://blog.barracuda.com/2023/04/25/cybersecurity-threat-advisory--new-qbot-malware-delivering-campa/>
<https://asec.ahnlab.com/en/52067/>
<https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/>
<https://blog.lumen.com/qakbot-retool-reinfect-recycle/>
<https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis>
<https://www.team-cymru.com/post/visualizing-qakbot-infrastructure>
<https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory>
<https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown>
<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a>
<https://thehackernews.com/2023/12/qakbot-takedown-aftermath-mitigations.html>
<https://www.bleepingcomputer.com/news/security/qbot-malware-returns-in-campaign-targeting-hospitality-industry/>
<https://www.bankinfosecurity.com/more-signs-qakbot-resurgence-a-24352>
<https://www.bleepingcomputer.com/news/security/new-qbot-malware-variant-uses-fake-adobe-installer-popup-for-evasion/>
<https://securelist.com/cve-2024-30051/112618/>
MITRE ATT&CK<https://attack.mitre.org/software/S0650/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Qakbot>

Last change to this tool card: 18 June 2024

Download this tool card in JSON format

All groups using tool QakBot

ChangedNameCountryObserved

APT groups

 Mallard Spider[Unknown]2008-Dec 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]