Qakbot Trojan - Fast-spreading attack against U.S. financial institutions

This sorta thing isn't particularly new,  But the Qakbot Trojan recently has been causing plenty of ripples in the security pond. Qakbot is different in that it almost exclusively targets U.S. financial institutions. It also is the first Trojan to be exclusively targeting business and corporate accounts at these financial institutions. The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts. While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions. How does Qakbot infect its prey? It doesn't appear to be  HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms.

Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary bank Trojan. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks.  In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information. The targeted credentials are sent to  Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.

The sheer volume and detail of information stolen by Qakbot is astounding. Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits.


Qakbot's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system. Qakbot infected more than 1,100 computers at NHS, and while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers.  Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind. The Qakbot authors proprietary archive format forces  security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor.

Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground.