Keypoints
- Qakbot began in 2008 as a banking trojan and has been continuously developed into five major versions, with the latest (5.0.x) released in December 2023.
- The malware shifted from direct banking fraud to acting as an initial access broker and staging Cobalt Strike and ransomware deployments (e.g., BlackBasta).
- Anti-analysis capabilities evolved from simple XOR string obfuscation to AES-encrypted XOR keys, API hashing (CRC32/XOR), junk code insertion, and extensive sandbox/VM detection.
- Network communication uses HTTP-based C2 with progressively stronger encryption (RC4 → AES + SHA256), JSON-style encoding, RSA digital signatures, and a multi-tier C2 architecture using compromised hosts as relays.
- Resource and plugin handling moved from unencrypted embedded DLLs to layered RC4/AES decryption schemes and compressed resources, enabling a lightweight stager to fetch modules on demand.
- Qakbot implemented a DGA in earlier versions, later replaced by an architecture that embeds compromised systems’ IPs/ports to avoid single-point failures and reduce DGA noise.
- Data exfiltration originally used compromised FTP servers (credentials in config) but later shifted to direct exfiltration to C2 infrastructure to reduce exposure.
MITRE Techniques
- None – The article does not explicitly reference MITRE ATT&CK technique identifiers or technique names; it describes behaviors (e.g., process injection, SMB propagation, HTTP C2) without listing ATT&CK T-codes.
Indicators of Compromise
- [File Hashes] Qakbot sample hashes from the article timeline – de1d9ed6da4f34b4444b13442aac5033, f382d0f92221831eeb39c108f8ccfa26, and many more hashes listed in the timeline.
- [Detection Name] Malware detection label used in the article – Win32.Banker.Qakbot (Zscaler detection name).
- [Process Names] Sandbox/analysis tool process names checked by Qakbot – procmon.exe, wireshark.exe, idaq.exe, and numerous other analyst tool names referenced.
Qakbot’s technical progression centers on hardened anti-analysis, encrypted network protocols, and a modular plugin system. Early builds used simple XOR to obfuscate strings and stored decrypted blocks in memory; later builds increased XOR key length and, in version 5.0, encrypted the XOR key with AES where the AES key is derived via SHA256. API resolution moved from plaintext names to CRC32-based hashing (sometimes XORed with a constant) to thwart static analysis, and junk/nonfunctional code blocks were introduced to defeat signature-based detection. Anti-sandbox measures include checking BIOS/vendor strings, VM-specific drivers and artifacts, and scanning for analyst tool process names; some builds even produce fake DGA results when network monitoring is detected.
On the network side, Qakbot has always used HTTP for C2 but repeatedly strengthened its protocol and encryption. The message format evolved from simple text-like payloads to a JSON-style encoding with integer keys, and encryption moved from RC4 (key = random bytes + hardcoded salt, hashed with SHA1) to AES (random bytes + salt, hashed with SHA256), with Base64 payload embedding in POST bodies. Version 3 introduced RSA digital signature verification to prevent tampering of commands and modules. The project also moved from hardcoded C2 domains to a DGA (used to generate thousands of domains per date) and later to a multi-tier architecture that leverages compromised hosts as relays/proxies, embedding IP:port lists in encrypted configs to hide backend infrastructure and avoid single points of failure.
The codebase became modular so a small stager handles persistence and C2, then downloads plugins to extend capabilities (browser hooks, credential harvesters, email theft, Cobalt Strike deployment, SOCKS5 proxying, and relay C2 functionality). Embedded resources and modules are protected with successive encryption schemes across versions (custom XOR → RC4 → layered RC4 with SHA1-derived keys → AES-wrapped keys), and some resources are compressed with a modified BriefLZ to reduce payload size. Earlier data exfiltration used compromised FTP servers with credentials stored in configs; later versions shifted to sending stolen data directly to C2 to reduce exposure. These technical changes collectively increased stealth, resilience, and operational flexibility.
Read more: https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development