{
	"id": "3e575f24-939c-4b22-83d8-5bf121a80bae",
	"created_at": "2026-04-06T00:13:35.724119Z",
	"updated_at": "2026-04-10T03:20:27.001784Z",
	"deleted_at": null,
	"sha1_hash": "9e10fdc58360752c085bacc2bbac4238023619c7",
	"title": "Qakbot Spreads like a Worm, Stings like a Trojan « Speaking of Security – The RSA Blog and Podcast",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54969,
	"plain_text": "Qakbot Spreads like a Worm, Stings like a Trojan « Speaking of\r\nSecurity – The RSA Blog and Podcast\r\nBy RSA FraudAction Research Labs\r\nArchived: 2026-04-05 12:48:37 UTC\r\nWhile the name Qakbot may sound funny, the Trojan is targeting business and corporate accounts—and no one is\r\nlaughing. Named after its main executable file, _qakbot.dll, the Qakbot Trojan is not new; however the RSA\r\nFraudAction Research Lab has uncovered some unique attributes of Qakbot rarely seen before in other financial\r\ncrimeware.\r\nOur recent research into Qakbot shows that its trigger list is almost completely comprised of large US-based\r\nfinancial institutions, with a few instances of Non-US institutions. Furthermore, Qakbot is the first Trojan seen to\r\nbe exclusively targeting business/corporate accounts at these financial institutions.  Why is Qakbot limiting itself? \r\nWhy not expand beyond corporate accounts and victimize the ordinary consumer?  The answer is economics – the\r\ngoal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private\r\nonline accounts. While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows\r\nthis type of strict “preference” by design, and with no exceptions.\r\nHow the Qakbot Trojan actually gets money out of corporate bank accounts is still being investigated. \r\nSurprisingly, we did not trace HTML or JavaScript code injections, nor Man-In-The-Browser attacks that are\r\ntypically used to circumvent the two-factor authentication mechanisms that normally protect these high-asset\r\naccounts. Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it\r\nwould otherwise not target business accounts to begin with.\r\nAnother unique attribute to the Qakbot Trojan is its makeup. Qakbot is the ultimate multi-tasker, designed to\r\nspread like a worm—infecting multiple machines at a time—while also stealing data like an ordinary banker\r\nTrojan. Qakbot targets shared networks, copying its executable file into shared directories; a technique that\r\nenables it to propagate on corporate networks, rendering every computer connected to such networks vulnerable.\r\nWhile not completely original, the worm/Trojan combination is rare and extremely effective.\r\nFinally, Qakbot is an organization dynamo. It is the first Trojan to separate out targeted credentials, from other\r\nstolen information on the client side rather than in a drop zone. After the distinction between targeted credentials\r\nand other information is made on the victim’s computer, targeted credentials are sent to the Qakbot’s drop server\r\nwhile credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP\r\naccounts, located on legitimate FTP servers.\r\nThe sheer volume and detail of information stolen by Qakbot is astounding.  Every time an infected user accesses\r\nan entity’s website, the Trojan organizes data transmitted from the victim’s machine into 3 separate files: System\r\nInformation (IP address, DNS server, country, state, city, software applications installed, etc.) (see Figure 1),\r\nSeclog (HTTP/S POST requests) (see Figure 2), and Protected Storage (information saved in the Internet\r\nExplorer Protected Storage and auto complete credentials including usernames, passwords, and browser history)\r\nhttps://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/\r\nPage 1 of 4\n\n(see Figure 3).  These files are organized per user and are complete with comprehensive system and user-account\r\ninformation. Why bother aggregating such extensive system data on each user account defined on every infected\r\ncomputer? All this information is likely aggregated by Qakbot’s authors to research future possible exploits.\r\nThe Qakbot Trojan’s most famous victim to date, was the National Health Service (NHS), the UK’s publically\r\nfunded healthcare system. Qakbot infected over 1,100 computers and while there was no evidence that patient data\r\nwas compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail and Yahoo, were seen being\r\nfunneled through NHS monitored servers.\r\nQakbot’s Other Idiosyncrasies\r\nTwo of Qakbot’s extensive stealth functionalities stand out as being particularly unusual: The first is Qakbot’s\r\nextensive lab-evasion procedures, designed to ensure that the Trojan does not run in a security company’s research\r\nlab. Qakbot’s developers are definitely not the first crimeware authors to design lab-evading tests in an effort to\r\navoid having their crimeware studied by researchers in a lab environment. However, unlike some other Trojans,\r\nwhich simply check whether they are being run on a virtual machine to determine whether to continue their self-installation, Qakbot’s authors have taken pains to set up a series of seven (7) tests in an attempt to ensure that their\r\nTrojan will not be reverse engineered and scrutinized by security researchers.\r\nIn addition, and this is the more unusual part, if Qakbot identifies that it is being run in a lab setting, it goes to the\r\ntrouble of reporting the relevant IP address to the Trojan’s drop zone: The Trojan sends the system’s IP address\r\nand bot ID to Qakbot’s drop zone (via the internal command getip). This kind of notification is likely performed\r\nto blacklist the IP address, so that the Trojan never again attempts to infect the same research lab.\r\nThe second unusual stealth functionality traced by the lab is the unique, self-developed compression format\r\ncreated by Qakbot’s authors to compress credentials stolen by the Trojan—the first programming feat of its kind\r\nwitnessed by the Lab, as most banking Trojans simply use popular compression formats such as ZIP, RAR, and\r\nTARGZ. The Qakbot authors’ proprietary archive format forces professional security researchers to dedicate a\r\nconsiderable amount of time and effort to write an appropriate decompressor.\r\n*****\r\nIt is important to note that the Qakbot Trojan’s distribution is quite limited so it is likely privately owned and\r\noperated by a single cybercriminal or gang, as opposed to being commercially available in the underground.\r\nHowever, despite the Trojan’s low prevalence in the wild, its unique functionalities all make Qakbot a highly-targeted virtual burglar.\r\nFigure 1: SI – System Information File sent from Bot to Qakbot C\u0026C Server\r\nhttps://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/\r\nPage 2 of 4\n\nFigure 2: Seclog – File sent from Bot to Qakbot C\u0026C Server\r\nFigure 3: PS – Protected Storage File sent from Bot to Qakbot’s C\u0026C Server\r\nhttps://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/\r\nPage 3 of 4\n\nSource: https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a\r\n-trojan/\r\nhttps://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/"
	],
	"report_names": [
		"businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434415,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e10fdc58360752c085bacc2bbac4238023619c7.pdf",
		"text": "https://archive.orkl.eu/9e10fdc58360752c085bacc2bbac4238023619c7.txt",
		"img": "https://archive.orkl.eu/9e10fdc58360752c085bacc2bbac4238023619c7.jpg"
	}
}