A banking Trojan called Qakbot has developed new attributes not seen before in other financial malware, according to researchers at RSA, the security division of EMC Corp.
RSA's Online Fraud Report released Monday details unique attributes of the Qakbot Trojan, the same Trojan that attacked the UK's National Health Service earlier this year, infecting over 1,100 computers.
Now this Trojan, named after its main executable file, qakbot.dll, has moved on, and new characteristics are being revealed. For one, the Trojan spreads like a worm, infecting several computers at once. However, it works like a typical banking Trojan, stealing banking information and other data mostly from U.S.-based financial institutions.
The report notes that Qakbot is the first Trojan to solely target business and corporate financial accounts at large U.S.-based financial institutions and to separate targeted credentials from other stolen information and organizing it into three folders.
"Every time an infected user accesses a website, the Trojan organizes data transmitted from the victim's machine into three separate files: System Information (IP address, DNS server, country, state, city, software applications installed), Seclog (HTTP/S POST requests) and Protected Storage (information saved in the Internet Explorer Protected Storage and auto complete credentials including usernames, passwords, and browser history)," researchers wrote.
The organization helps the attackers track information, but what is the reason for the exclusive target? Economics, according to the RSA report. Qakbot knows to attack these larger institutions because they hold more money than the average private online account.
The report also showed that September was the seventh consecutive month that U.S. nationwide banks were targeted for cyberattacks, receiving 64% of all attacks.
Qakbot is designed to avoid research labs so it will not be studied and scrutinized by security researchers. However, if Qakbot finds itself in a research environment it will essentially blacklist the IP address in its drop box so it will not try to attack that lab again.
Qakbot also uses a unique compression format developed by its authors. Instead of using popular formats like ZIP and RAR, they have designed a proprietary archive format that forces security researchers to take time to figure out -- resulting in more time to spread Qakbot through systems.
By Kathleen Kriz