QakBot Banking Trojan Causes Massive Active Directory Lockouts

This post was co-authored by IBM X-Force researchers Mike Oppenheim, Kevin Zuk, and Matan Meir.

---

IBM X-Force Research recently observed a wave of malware-induced Active Directory (AD) lockouts across several incident response engagements. The lockouts caused hundreds to thousands of AD users to get locked out of their company’s domain in rapid succession, leaving employees of the impacted organizations unable to access their endpoints, company servers, and networked assets.

Active Directory manages users and user access on Microsoft servers, as well as the policies and procedures that enable network access. X-Force researchers associated the mass AD lockouts with malicious activity by an existing banking Trojan known as QakBot, aka PinkSlip.

X-Force Incident Response and Intelligence Services (IRIS) responders, who investigated recent QakBot activity waves, suspect that numerous organizations have suffered and will continue to suffer from these lockout waves.

QakBot Back in Business

According to X-Force research, QakBot is financial malware known to target businesses to drain their online banking accounts. The malware features worm capabilities to self-replicate through shared drives and removable media. It uses powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money.

Though well-known and familiar from previous online fraud attacks, QakBot continually evolves. This is the first time IBM X-Force has seen the malware cause AD lockouts in affected organizational networks.

Although part of QakBot is known to be a worm, it is a banking Trojan in every other sense. QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.

Overall, QakBot’s detection circumvention mechanisms are less common than those used by other malware of its class. Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognizable.

Read additional technical details and our conclusion here.