Not long ago we put together an overview of the top families, trends and innovations, and we showed how ransomware has evolved until it become one of the main threats affecting users and organizations. However, not everything is perfect for the ransomware authors, and this time we will focus on what is going wrong and how sometimes ransomware authors fail when trying to profit from victims.
As you may recall, Ramnit was target by a law enforcement takedown back in February 2015 and we at AnubisNetworks supported it. We kept our vigilance after that operation and since then the average number of infections in a 24 hours period was around 300,000. This big number of residual infections after a takedown is normal for big botnets like those created with Ramnit - if no one cleans an infected computer, it will remain infected even if the botnet command and control is down.
Anubis Networks began monitoring Necurs, a malware family known for it's rootkit capabilities, in August 2015. Since then we have been able to observe approximately 50.000 unique IP addresses connecting to our sinkhole over a 24 hour time period. However, we recently discovered that we were only seeing a small part of the whole botnet.
One such banking trojans is Qakbot, also referred to as Qbot and Pinkslipbot. Going back to at least 2009, it had disappeared off the radar until AnubisNetworks published a blog post " The return of Qakbot", analyzing the command and control communication of the latest version of the malware. Though smaller than its peak size of 200,000 infections, with at least 20,000 infected machines the malware could still provide a decent amount pocket money for its authors.
Later that year, as the botnet grew, the findings in the blog post were confirmed by other researcher; Proofpoint published an interesting whitepaper on the malware family.
After that, things around Qakbot because quiet again, other than the odd mention in reference to exploit kits. Until last week, BAE Systems published another whitepaper, called "The return of Qbot".
Of course, the researchers weren't two years late in their findings, but Qakbot (or Qbot) had returned once again. This time it was using version 9 of its own C&C protocol.
The whitepaper provides an interesting insight into how Qakbot uses the Rig exploit kit to infect users. Unlike some other exploit kits, which spread through ad networks, Rig mainly uses compromised websites to infect its users with whatever malware its customers want to spread: the exploit kit can be rented by cybercriminals who want their malware to infect users who browse the internet from a not fully patched PC.
Just like one can buy online ads targeting users in a specific demographic, one can also rent an exploit kit to geo-target users and it is likely that Qakbot authors have done this: 85% of the infections are found in the US, a figure not dissimilar to what was seen two years ago.
The targeting of specific regions is not uncommon among banking trojans. After all, as each online banking system is different, they need to add specific code to the malware for the banks they target, so it makes sense to add banks in one country and get the malware to infect users there.
The choice of the US, apart from its size, also makes sense: while generally seen as the place to go for anything tech, the country's banks are well behind when it comes to applying good security practices and two-factor authentication, the norm in most European countries, is still relatively rare. This makes the life of a banking trojan's author a lot easier.
One thing which has always made Qakbot stand out among banking trojans is the fact that it attempts to "move laterally" within an organization’s network by infecting other machines, for instance by trying a number of hardcoded common passwords. This explains why some organizations - most victims were in the academic and medical sector - had over a thousand infected machines on the network.
Qakbot may not be the most advanced malware out there, yet it continues to evolve and manages to stay under the radar quite well. For example, its C&C communication remains easy to spot using IDS signatures if you know what you are looking for, yet if you don't, it doesn't stand out among other HTTP requests.
If does, however, provide a number of valuable security lessons: make sure you only browse the Internet with fully patched machines. Make sure you use strong passwords on all machines, even those that are only accessible on a local network. And find a bank that uses two-factor authentication for transactions. Martijn Grooten, 28th April 2016 Join AnubisNetworks on the next webinar “Overview of the Ransomware scene in 2016” which will take place May 10th, 14:00 BST time. Attendance is free!