Qakbot Trojan Spreading Like A Worm: Report

Researchers are warning users about the reawakening of the Qakbot Trojan, a unique form of malware making its way into big banks and other global financial institutions, distinguished by its ability to spread like a worm but infect users like a Trojan. This and other findings were revealed in the RSA Online Fraud Report Monday.

Qakbot, which was named after its primary executable file _qakbot.dll, is not new on the threat landscape. However, although Qakbot is technically a Trojan, it behaves like a worm, with an ability to infect multiple machines at a time, while stealing banking credentials like other banking Trojans. Plus it is the only Trojan to almost exclusively target U.S. banks, security experts say.

"While not completely original, the worm/'Trojan combination is rare and extremely effective," said RSA researchers in the report.

In addition, the malware is unique in that it prefers shared networks, copying its executable file into shared directories, which enables it to propagate and contaminate every computer on the corporate network.

Sponsored post

Researchers are still investigating how the malware acquires money out of corporate bank accounts. Thus far there are no traces of HTML or JavaScript code injections or Web Trojan attacks such as Man-in-the-Browser, researchers said.

Next: U.S. Leads World In Number Of Phishing Attacks

Qakbot is also the first Trojan to divvy up targeted information from other stolen information once it infects a computer. Every time an infected user accesses a Website, the Trojan organizes the stolen data from the victim's machine into one of three files: System Information, such as IP address, DNS server and country of origin; Seclog, which includes HTP/S Post requests; and Protected Storage, information saved in the Internet Explorer Protected Storage and auto -- completed credentials, including usernames, passwords and browser history. The aggregated data can then be used by the malware's authors to conduct additional exploits and other cyber crime activities.

In addition, the malware comes equipped with a series of stealth functions, which include lab evasion technologies as well as an ability to set up a slew of tests that prevents it from being reverse engineered, the report found.

In addition to the Qakbot findings, the RSA Online Threat Report indicated that the U.S. was the biggest target for phishing attacks, with 30 percent of attacks targeted there, followed by the U.K. at 28 percent and South Africa at 21 percent.

Meanwhile, the U.S. also took the lead in the top ten nations that host phishing attacks, hosting around six out of 10, or 61.5 percent, of all phishing attacks. South Korea came in a distant second, hosting 7 percent of phishing attacks, while the U.K. came in third by hosting 6.5 percent of all attacks.

However, the number of phishing attacks experienced a 9 percent overall decrease in September, while phishing attacks targeting brands experienced an 18 percent decrease from August, dipping below 200 at 178 attacks last month.