Researchers Decrypted Qakbot Banking Trojan’s Encrypted Registry Keys

Researchers Decrypted Qakbot Banking Trojan's Encrypted Registry Keys

Cybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the insertion of encrypted configuration information into the Home windows Registry.

Qakbot, also referred to as QBot, QuackBot and Pinkslipbot, has been noticed within the wild since 2007. Though primarily common as an information-stealing malware, Qakbot has since shifted its targets and purchased new performance to ship post-compromise assault platforms comparable to Cobalt Strike Beacon, with the ultimate goal of loading ransomware on contaminated machines.

Automatic GitHub Backups

“It has been regularly developed, with new capabilities launched comparable to lateral motion, the flexibility to exfiltrate e-mail and browser information, and to put in further malware,” Trustwave researchers Lloyd Macrohon and Rodel Mendrez stated in a report shared with The Hacker Information.

In latest months, phishing campaigns have culminated within the distribution of a new loader known as SQUIRRELWAFFLE, which acts as a channel to retrieve final-stage payloads comparable to Cobalt Strike and QBot.

Newer variations of Qakbot have additionally gained the flexibility to hijack e-mail and browser information in addition to insert encrypted configuration info pertaining to the malware into the registry versus writing them to a file on disk as a part of its makes an attempt to depart no hint of the an infection.

“Whereas QakBot will not be going totally fileless, its new techniques will certainly decrease its detection,” Hornetsecurity researchers identified in December 2020.

Prevent Data Breaches

Trustwave’s evaluation into the malware goals to reverse engineer this course of and decrypt the configuration saved within the registry key, with the cybersecurity firm noting that the important thing used to encrypt the registry key worth information is derived from a mixture of laptop title, quantity serial quantity, and the person account title, which is then hashed and salted together with a one-byte identifier (ID).

“The SHA1 hash consequence will likely be used as a derived key to decrypt the registry key worth information respective to the ID utilizing the RC4 algorithm,” the researchers stated, along with making out there a Python-based decryptor utility that can be utilized to extract the configuration from the registry.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts