QakBot Returns To Lock Thousands Out Of Microsoft Active Directory Service

Malware has been causing lockouts for hundreds of thousands of Microsoft’s Active Directory (AD) service, preventing them from being able to access their company servers, networked assets and endpoints.

The malware spread was discovered by IBM’s X-Force Research division and noted the lockouts of AD, which manages users and access on Microsoft servers, could be attributed to malicious activity caused by the known QakBot trojan, also known as PinkSlip.

QakBot back

QakBot is a trojan variant of financial malware which has been known to target businesses to drain their online banking accounts. The trojan has the ability to self-replicate through removable media and shared drives, and can steal information to spy on the banking activities of users of infected machines and eventually defraud them out of significant sums of money.

Despite being a well-known strain of malware, QakBot is difficult to tackle due to its modular, multithread construction and ability to constantly evolve to create backdoors into systems, subvert anti-virus tools and make it difficult for cyber security researchers to observe and tackle.

“Upon infecting a new endpoint, the malware uses rapid mutation to keep anti-virus systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognisable,” explained Michael Oppenheim, global research lead at IBM X-Force Incident Response and Intelligence Services.

In its latest iteration, QakBot is locking people out of AD as a side effect to the way it spreads from machine to machine by reusing the credentials of an affected machine and its user to help spread through a compromised network; the reuse of user credentials triggers the AD lockout mechanism.

QakBot is not looking to cause the AD lockouts, rather it is looking to swipe the details of business and potentially personal bank accounts on infected machines being used to access online banking.

Oppenheim notes that so far QakBot has infected and ‘militarised’ over 54,000 computers.

But for concerned enterprises there are way to mitigate the threat, from basic disabling of online adverts and filtering the macro execution in emailed files, to ensuring domain accounts are configured to require the least privileges to carry out tasks and setup a special emergency account to enable security staff to recover the AD service and determine the source of the tojan, as well as prevent workstation-to-workstation communications to force the QakBot to reveal itself for potential detection.

With malware infecting increasing numbers of corporate networks,  it is no wonder cyber security companies are turning to techniques like machine learning to tackle the ever increasing and evolving range of cyber threats.

Quiz: Are you a security pro?

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

27 mins ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

1 hour ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

2 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

4 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

7 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

7 hours ago