Qakbot malware avoids discovery by breaking itself in two

News by Rene Millman

Researchers find encrypted code spread over multiple archives

Security researchers have discovered a new variant of the Qakbot malware that evades detection.

In a blog post, researchers at Cisco Talos said a new campaign used an updated persistence mechanism that can make it harder for users to detect and remove the trojan.

During an infection, the malware creates a scheduled task. This task will execute a JavaScript downloader that makes a request to one of several hijacked domains.

The downloader then downloads encrypted malware code from these domains to multiple archives.

"The domains used by the downloader for this request are XOR encrypted at the beginning of the JavaScript. The response to this request is obfuscated data that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz. The first 1,000 bytes of data are saved to the first .zzz file, while the remainder goes to the second file. The data in these files is decrypted with the code contained in the JavaScript downloader," researchers said.

They added that the code code serves to reassemble the malicious Qakbot executable from the two .zzz files, using the type command.

"The two .zzz files are then deleted after the reassembled executable is run. The functionality of the Qakbot malware remains the same," they said.

Researchers also noted that in comment strings within the malware it suggested the malware developer had updated the code on 15 March. "This indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new campaign".

The changes in the Qakbot malware makes it more difficult for traditional anti-virus software to detect, said researchers.

"This may allow the download of the malware to go undetected, as the malware is obfuscated when it is downloaded and saved in two separate files. These files are then decrypted and reassembled using the type command," researchers added.

"Detection that is focused on seeing the full transfer of the malicious executable would likely miss this updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews