Home / malwarePDF  

Backdoor:Win32/Qakbot.T


First posted on 26 November 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Qakbot.T.

Explanation :

Threat behavior

Installation

This threat can be installed by exploit kits, such as Sweet Orange. It can also spread using infected network and removable drives, such as USB flash drives. It installs a copy of itself on all accessible drives and network shares, using a random file name. The dropped copy can be run remotely.

The trojan is installed along with a dynamic link library (DLL) file that contains encrypted configuration data to %APPDATA%\Microsoft\\. The folder and file names are the same, for example:

  • %APPDATA% \Microsoft\ypoplkc\ypoplkc.exe
  • %APPDATA% \Microsoft\ypoplkc\ypoplkc.dll


Registry modifications

The malware installs itself as a Windows service by modifying the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\

Sets value: "Type"
With data: dword:00000010

Sets value: "Start"
With data: dword:00000002

Sets value: "ErrorControl"
With data: dword:00000000

Sets value: "ServiceName"
With data: ""

Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"

Sets value: "DependOnService"
With data: "Dnscache"

In subkey: HKLM\SYSTEM\CurrentControlSet\services\
Sets value: "ObjectName"
With data: "LocalSystem"

It also modifies the following registry entries to lower your Internet security settings:

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\2
Sets value: "2500"
With data: dword:00000003

In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\3
Sets value: "2500"
With data: dword:00000003

The trojan can create a shortcut file in the Startup folder that links back to its copy.

Payload

Allows backdoor access and control

This threat contacts a remote server to receive commands from a malicious hacker. Once connected, the malicious hacker can command the trojan to do a number of things, including:

  • Collect information about your PC
  • Check for new malware version
  • Download and run files, such as a malware update
  • Login to FTP sites using stolen credentials
  • Download collected data
  • Detect which antivirus program you have on your PC
  • Detect whether it is running in a virtual machine and/or honeypot
  • Stop processes by process ID (PID) or string matching
  • Log keystrokes
  • Load a specified configuration file
  • Steal email user names and passwords
  • Steal POP3 and FTP credentials
  • Collect your cookies and digital certificates
  • Delete your cookies
  • Infect removable drives
  • Infect accessible network shares
  • Contact a SOCKs server


Steals your banking information

A malicious hacker can also tell the trojan to steal your online banking information. The trojan watches to see if you visit any URLs that include the following strings:

  • web-access.com
  • webcashmgmt.com
  • /achupload
  • /cashman/
  • /cashplus/
  • /clkccm/
  • /cmserver/
  • /corpach/
  • /ibws/
  • /payments/ach
  • /stbcorp/
  • /wcmpr/
  • /wcmpw/
  • /wcmtr/
  • /wires/
  • /wiret
  • access.jpmorgan.com
  • accessonline.abnamro.com
  • achbatchlisting
  • bankeft.com
  • blilk.com
  • business-eb.ibanking-services.com
  • businessaccess.citibank.citigroup.com
  • businessbankingcenter.synovus.com
  • businessinternetbanking.synovus.com
  • businessonline.huntington.com
  • businessonline.tdbank.com
  • cashproonline.bankofamerica.com
  • cbs.firstcitizensonline.com
  • chsec.wellsfargo.com
  • cmol.bbt.com
  • commercial.bnc.ca
  • commercial.wachovia.com
  • commercial2.wachovia.com
  • commercial3.wachovia.com
  • commercial4.wachovia.com
  • corporatebanking
  • cpw-achweb.bankofamerica.com
  • ctm.53.com
  • directline4biz.com
  • directpay.wellsfargo.com
  • e-facts.org
  • e-moneyger.com
  • each.bremer.com
  • ebanking-services.com
  • express.53.com
  • firstmeritib.com
  • firstmeritib.com/defaultcorp.aspx
  • goldleafach.com
  • iachwellsprod.wellsfargo.com
  • ibc.klikbca.com
  • iris.sovereignbank.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • jsp/mainWeb.jsp
  • ktt.key.com
  • moneymanagergps.com
  • netconnect.bokf.com
  • nj00-wcm
  • ocm.suntrust.com
  • onlineserv/CM
  • otm.suntrust.com
  • paylinks.cunet.org
  • premierview.membersunited.org
  • providentnjolb.com
  • scotiaconnect.scotiabank.com
  • securentrycorp.amegybank.com
  • securentrycorp.zionsbank.com
  • singlepoint.usbank.com
  • svbconnect.com
  • tcfexpressbusiness.com
  • tmcb.zionsbank.com
  • tmconnectweb
  • treas-mgt.frostbank.com
  • treasury.pncbank.com
  • trz.tranzact.org
  • tssportal.jpmorgan.com
  • wc.wachovia.com
  • wcp.wachovia.com
  • web-cashplus.com
  • webexpress.tdbank.com
  • wellsoffice.wellsfargo.com


If you visit one of these banking websites the malware can monitor the communication and capture your sensitive information, such as your user name and password.

Sends stolen data to a malicious hacker

This threat can send the information it collects from your PC back to a remote server via HTTP or FTP. We have seen it connect to the following servers:

  • 85.114.135.19 using TCP/8080
  • 213.239.202.52 using TCP/65400


Blocks access to security websites

The malware hooks several APIs to monitor system events related to its information stealing routines. It can then block access to some security-related websites. We have seen it hooks the following APIs:

  • advapi32.dll!RegEnumValueW
  • advapi32.dll!RegEnumValueA
  • dnsapi.dll!DnsQuery_A
  • dnsapi.dll!DnsQuery_W
  • iphlpapi.dll!GetTcpTable
  • iphlpapi.dll!AllocateAndGetTcpExTableFromStack
  • kernel32.dll!GetProcAddress
  • kernel32.dll!FindFirstFileA
  • kernel32.dll!FindNextFileA
  • kernel32.dll!FindFirstFileW
  • kernel32.dll!FindNextFileW
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtResumeThread
  • ntdll.dll!LdrLoadDll
  • wininet.dll!HttpOpenRequestA
  • ininet.dll!HttpOpenRequestW
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • ninet.dll!HttpSendRequestExW
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetWriteFile
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!HttpOpenRequestA
  • wininet.dll!HttpOpenRequestW
  • ws2_32.dll!connect
  • ws2_32.dll!send
  • ws2_32.dll!WSASend
  • ws2_32.dll!WSAConnect
  • user32.dll!GetClipboardData
  • user32.dll!CharToOemBuffA
  • user32.dll!TranslateMessage


We have seen it block the following security-related websites:

  • Agnitum
  • Ahnlab
  • Arcabit
  • Avast
  • Avg
  • Avira
  • Avp
  • Bit9
  • Bitdefender
  • Castlecops
  • Centralcommand
  • Clamav
  • Clearclouddns
  • Comodo
  • Computerassociates
  • Cpsecure
  • Defender
  • Download.microsoft
  • Drweb
  • Emsisoft
  • Esafe
  • Eset
  • Etrust
  • Ewido
  • Explabs
  • F-prot
  • F-secure
  • Fortinet
  • Gdata
  • Grisoft
  • Hacksoft
  • Hauri
  • Hautesecure.com
  • Ikarus
  • Jotti
  • KI7computing
  • Kaspersky
  • Malware
  • Mcafee
  • Networkassociates
  • Nod32
  • Norman
  • Norton
  • Panda
  • Pctools
  • Phishtank.com
  • Prevx
  • Quickheal
  • Rising
  • Rootkit
  • Sanasecurity
  • Securecomputing
  • Sophos
  • Spamhaus
  • Spyware
  • Sunbelt
  • Symantec
  • Threatexpert
  • Threatfire
  • Trendmicro
  • Truste.com
  • Update.microsoft
  • Virus
  • Webroot
  • Wilderssecurity
  • Windowsupdate


Additional information
  • Proofpoint blog: How to steal access to over 500,000 bank accounts: The insider view of a Russian cybercrime infrastructure
  • Microsoft Malware Protection Center Threat Report - Qakbot




Analysis by Rex Plantado

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKLM\SYSTEM\CurrentControlSet\services\

    Sets value: "Type"
    With data: dword:00000010

    Sets value: "Start"
    With data: dword:00000002

    Sets value: "ErrorControl"
    With data: dword:00000000

    Sets value: "ServiceName"
    With data: ""

    Sets value: "DisplayName"
    With data: "Remote Procedure Call (RPC) Service"

    Sets value: "DependOnService"
    With data: "Dnscache"

    In subkey: HKLM\SYSTEM\CurrentControlSet\services\
    Sets value: "ObjectName"
    With data: "LocalSystem"

    In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\2
    Sets value: "2500"
    With data: dword:00000003

    In subkey: HKCU\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\\3
    Sets value: "2500"
    With data: dword:00000003

Last update 26 November 2014

 

TOP