QakBot Returns To Lock Thousands Out Of Microsoft Active Directory Service

Malware has been causing lockouts for hundreds of thousands of Microsoft’s Active Directory (AD) service, preventing them from being able to access their company servers, networked assets and endpoints.

The malware spread was discovered by IBM’s X-Force Research division and noted the lockouts of AD, which manages users and access on Microsoft servers, could be attributed to malicious activity caused by the known QakBot trojan, also known as PinkSlip.

QakBot back

QakBot is a trojan variant of financial malware which has been known to target businesses to drain their online banking accounts. The trojan has the ability to self-replicate through removable media and shared drives, and can steal information to spy on the banking activities of users of infected machines and eventually defraud them out of significant sums of money.

Despite being a well-known strain of malware, QakBot is difficult to tackle due to its modular, multithread construction and ability to constantly evolve to create backdoors into systems, subvert anti-virus tools and make it difficult for cyber security researchers to observe and tackle.

“Upon infecting a new endpoint, the malware uses rapid mutation to keep anti-virus systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognisable,” explained Michael Oppenheim, global research lead at IBM X-Force Incident Response and Intelligence Services.

In its latest iteration, QakBot is locking people out of AD as a side effect to the way it spreads from machine to machine by reusing the credentials of an affected machine and its user to help spread through a compromised network; the reuse of user credentials triggers the AD lockout mechanism.

QakBot is not looking to cause the AD lockouts, rather it is looking to swipe the details of business and potentially personal bank accounts on infected machines being used to access online banking.

Oppenheim notes that so far QakBot has infected and ‘militarised’ over 54,000 computers.

But for concerned enterprises there are way to mitigate the threat, from basic disabling of online adverts and filtering the macro execution in emailed files, to ensuring domain accounts are configured to require the least privileges to carry out tasks and setup a special emergency account to enable security staff to recover the AD service and determine the source of the tojan, as well as prevent workstation-to-workstation communications to force the QakBot to reveal itself for potential detection.

With malware infecting increasing numbers of corporate networks,  it is no wonder cyber security companies are turning to techniques like machine learning to tackle the ever increasing and evolving range of cyber threats.

Quiz: Are you a security pro?

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

12 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

13 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

14 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

15 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

18 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

19 hours ago