
Security researchers from IBM X-Force have discovered a malware campaign that is causing Microsoft Active Directory users be locked out of their company’s domain.
The lockouts have been attributed to the QakBot banking Trojan also known as PinkSlip.
This financial Trojan has been used to illegally acquire sensitive information from banks and end users since at least 2011.
It was considered one of the most sophisticated banking Trojans in existence, and was created to target the business banking sector exclusively.
However, the attacks of Microsoft Active Direct system users are a new direction taken by the actors behind the malware.
According to a publication by a team in the X-Force Incident Response and Intelligence Services (IRIS), there has been an increase in cases of Active Direct lockouts over the past few weeks.
The QakBot malware is trying to spread via an infected network.
It uses the credentials of the victim’s machine and user accounts, thus triggering the Active Direct lockout problem.
The researchers suspect that many organizations using Active Directory have been affected and the problem may persist, as this malware campaign is still active.
QakBot has been known to target businesses by draining online banking accounts.
It has been employed in online fraud schemes in the past and seems to be evolving.
In this recent campaign, the malware attempts to reuse affected machines and user accounts and/or execute brute force username and password combinations in a bid to spread to other machines.
Microsoft Active Direct responds to this cyber assault by locking out the users.
The QakBot malware employs a “man in the browser” (MitB) functionality, which enables the insertion of malicious code into online banking sessions.
The malware does not harbor the malicious scripts in its configuration file.
It extracts the scripts from the domain it controls.
The malicious scripts are oftentimes termed as web injections, since they’re employed to tamper with the visual content that the affected user views on their banking websites.
The actors behind the malware can steal information when the user initiates online banking session.
This includes cached credentials, user keystrokes, digital certificates, cookies and HTTP session authentication data.
Other data including IP address, DNS name, host name, username and system information can be sent to the C&C server.
The IRIS global research lead, Mike Oppenheim, was quick to emphasize that the QakBot malware does not compromise Microsoft Active Directory itself.
The campaign is relying on weak cyber security practices to be successful.
If a user does not implement credential best practices, then the malware manages to guess the admin password and gain access to escalated privileges.
At that point, this malware can be used to conduct malicious operations.
According to the researchers, the current version of the malware has the ability to evade antivirus tools as well as disable security software operating on the endpoint.

When QakBot infects a new endpoint, it mutates rapidly thus keeping the anti-malware tools guessing.
It may modify the malicious file by making small changes to it or recompile the whole malicious code effectively making it undetectable by the antivirus systems.
It also deploys persistence mechanisms on enterprise environments using scheduled tasks and a Registry run key.
All these aspects make it difficult to remove the malware from the target systems.
This banking Trojan infects endpoints via a “dropper,” which evades detection by delaying executions.
By not acting for 10 to 15 minutes on the target, it can avoid sandboxes that analyze incoming files.
QakBot utilizes a list of hardcoded C&C servers and a Domain Generation Algorithm to maintain communication with the affected machines on rendezvous domains.
The QakBot malware is delivered to users through exploit kits sent via email and spear fishing campaigns that specifically target employees.
The malware can also originate from infected websites.
Mitigating QakBot Infections
The security researchers suggest various actions that end users and organizations can take to limit the malware infection risks.
One is utilizing adaptive malware detection systems, which offer real-time protection from evolving cyber threats.
Organizations can also ensure that their employees are properly educated on cybersecurity threats.
QakBot malware and other campaigns like it rely on weakness on the users’ ends, with infections originated from malicious websites and email attachments.
End users should practice browser hygiene, filtering macro executions in files and disabling online ads.
Organizations can configure domain accounts with minimum privilege necessary for employees to complete their tasks.
This can limit the actions of QakBot malware on the Active Direct networks.
Complex password frameworks are also necessary for all users on the network in order to prevent brute force cyber-attacks.
Setting up Domain Admin accounts for security purposes can reduce the risk of Active Directory lockouts.
These accounts can be operational as users are locked out, and can help ascertain the source of the lockouts.