Qakbot banking trojan updates with new obfuscation techniques to evade detection

Since 2008, Qakbot banking trojan (also known as Qbot) has appeared. The trojan targets the Microsoft Windows system and attempts to create backdoors that steal usernames and passwords to obtain financial data.

Qakbot has now updated the persistence mechanism to make it more difficult for anti-virus software to detect and remove. A computer is usually infected by a dropper that creates a scheduled task on the infected machine, instructing it to execute a JavaScript download from a malicious domain controlled by the attacker.

“Malware” by Infosec Images is licensed under CC BY 2.0

In April of this year, Qakbot began to become more active. The new downloader requests resources from the same Uniform Resource Identifier on the hijacked domain, which are XOR-encrypted to confuse the malicious data contained in the JavaScript downloader and allow malicious programs to perform tasks.

Since malware is now split into two separate files, Qakbot will be deployed and deployed only when the embedded executable is running, making it harder to detect antivirus software.  Once deployed on the system, malware will work in the background to steal relevant data for the attacker’s purpose.

Via: talosintelligence