The process by which the adaptable Qakbot banking trojan handles the injection of encrypted configuration data into the Windows Registry has been decrypted by cybersecurity researchers.
Since 2007, Qakbot, also known as QBot, QuackBot, and Pinkslipbot, has been spotted in the outdoors. Qakbot was originally designed to steal information, but it has since evolved and gained new capability to deploy post-compromise attack platforms like Cobalt Strike Beacon, with the purpose of putting ransomware on infected PCs.
Phishing attempts in recent months have culminated in the dissemination of a new loader known as SQUIRRELWAFFLE, which works as a route for retrieving final-stage payloads like Cobalt Strike and QBot.
As part of its efforts to leave no sign of the infection, newer versions of Qakbot have gained the capacity to hijack email and browser data, as well as put encrypted configuration information relevant to the malware into the registry rather than writing it to a file on disc.
Trustwave’s investigation into the malware aims to reverse engineer this process and decrypt the configuration stored in the registry key. The key used to encrypt the registry key value data is derived from a combination of the computer name, volume serial number, and user account name, which is then hashed and salted along with a one-byte identifier, according to the cybersecurity firm (ID).