QakBot Returns To Lock Thousands Out Of Microsoft Active Directory Service

The malware causes lockouts while on the hunt for banking credentials

Malware has been causing lockouts for hundreds of thousands of Microsoft’s Active Directory (AD) service, preventing them from being able to access their company servers, networked assets and endpoints. 

The malware spread was discovered by IBM’s X-Force Research division and noted the lockouts of AD, which manages users and access on Microsoft servers, could be attributed to malicious activity caused by the known QakBot trojan, also known as PinkSlip. 

QakBot back 

AD lockoutQakBot is a trojan variant of financial malware which has been known to target businesses to drain their online banking accounts. The trojan has the ability to self-replicate through removable media and shared drives, and can steal information to spy on the banking activities of users of infected machines and eventually defraud them out of significant sums of money. 

Despite being a well-known strain of malware, QakBot is difficult to tackle due to its modular, multithread construction and ability to constantly evolve to create backdoors into systems, subvert anti-virus tools and make it difficult for cyber security researchers to observe and tackle. 

“Upon infecting a new endpoint, the malware uses rapid mutation to keep anti-virus systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognisable,” explained Michael Oppenheim, global research lead at IBM X-Force Incident Response and Intelligence Services. 

In its latest iteration, QakBot is locking people out of AD as a side effect to the way it spreads from machine to machine by reusing the credentials of an affected machine and its user to help spread through a compromised network; the reuse of user credentials triggers the AD lockout mechanism. 

QakBot is not looking to cause the AD lockouts, rather it is looking to swipe the details of business and potentially personal bank accounts on infected machines being used to access online banking. 

Oppenheim notes that so far QakBot has infected and ‘militarised’ over 54,000 computers. 

But for concerned enterprises there are way to mitigate the threat, from basic disabling of online adverts and filtering the macro execution in emailed files, to ensuring domain accounts are configured to require the least privileges to carry out tasks and setup a special emergency account to enable security staff to recover the AD service and determine the source of the tojan, as well as prevent workstation-to-workstation communications to force the QakBot to reveal itself for potential detection. 

With malware infecting increasing numbers of corporate networks,  it is no wonder cyber security companies are turning to techniques like machine learning to tackle the ever increasing and evolving range of cyber threats

Quiz: Are you a security pro?