The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA

Keypoints

• The Ares banking trojan received a DGA-based fallback mechanism in August 2022 to contact C2 when primary channels fail.
• The Ares DGA implementation is virtually identical to Qakbot’s defunct DGA, though not tied to the same codebase.
• The DGA uses a hardcoded seed and the current date to generate 50 domains per interval (150 domains per month), relying on the daytime protocol to obtain the date from NIST time servers.
• Reverse engineering suggests Ares reimplemented the DGA rather than stemming from Qakbot’s source code; ThreatLabz even modified a Python-based Qakbot DGA to produce Ares domains.
• Ares is active against financial institutions in Mexico, with BBVA Mexico appearing in hardcoded web inject configurations.
• New features include web inject testing, a dynamic API hash algorithm, and CRC64-based hashing changes to map NTDLL API names, aiding evasion of static detections.
• Threat activity includes improvements to resilience and inference of forthcoming attacks leveraging the new capabilities.