In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites. The financial services corporation purchased bulk thumb drives from a US online retailer of computer hardware. The thumb drives were originally manufactured in China. According to FBI forensic analysis, the Qakbot malware was on the infected thumb drive before the drive arrived in the United States. Qakbot is extremely persistent and requires removal of all malware from every device. Failure to remove even one node of malware may result in re-infecting previously sanitized systems possibly costing the victim hundreds of thousands of dollars in malware removal and system downtime.

Threat

Qakbot is an information stealing worm—originally discovered in 2007 with a major update in 2017—that propagates through removable drives, network shares, and Web pages. The most common vector of intrusion for Qakbot is malicious attachments to phishing emails. Once executed, Qakbot spreads to other shared folders and uses Server Message Block (SMB) protocol to infect other machines. Qakbot has keylogging capabilities, and is able to propagate across network environments through a single instance within that network. It is capable of remaining on a device through the use of registry keys and by scheduling recurring tasks to run at timed intervals. Every device connected to the network and every piece of removable media which has been attached needs to be scanned for the malware and cleaned of the infection before it can be reconnected. The most recent updates in 2017 allows Qakbot to lock users out of the active directory, preventing them from being able to work. It also deploys malicious executables into network shares, registering them as services.

Cyber actors have the capability to infect devices with malware at nearly any point in the manufacturing process. The FBI has historically seen cases of infection with malware capable of stealing credentials, gathering data on the users of a computer or network, dropping other types of malware, and serving as a “backdoor” into a secure network. It is difficult to know at which point the malware infection occurred or whether the infection was intentional, due to the international nature of hardware manufacturing.

Recommendations

To mitigate the threat of a potentially infected thumb drive, the following measures should be taken at a minimum:

Ensure the use of approved, trusted vendors for hardware purchases.

Scan all hardware, especially removable storage media, on an external system prior to its insertion into a network environment.

For signature-based intrusion detection systems, ensure that the hash value for known Qakbot variants are included. The MD5 value for the variant identified in this PIN was: ff0e3ec80faafd04c9a8b375be77c6b6. This hash value can change, so be prepared to use other advanced detection systems.

Users should protect themselves and organizations by practicing good browsing habits, ensuring they do not respond to or click on unsolicited email, and to not plug unknown USB devices into
their workstations.

If you don’t have the expertise to properly handle or identify potential cyber threats please seek out an expert who can provide the expertise needed to secure your organization.

Share this: