We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanSpy:Win32/Qakbot
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
Qakbot, also known as Quakbot, Qbot, and similar names, has been active since 2007. Qakbot started life as a credential stealer optimized to obtain credentials from banking and other financial services. In 2020 and 2021, Qakbot has been observed to lead to ransomware-as-a-service (RaaS) actors responsible for expedient ransomware and data exfiltration from organizations via purchased access to Qakbot infections.
Qakbot global campaign has been impacting organizations with malicious email deliveries that lead to infection with a renovated Qakbot implant that quickly ascertains system information to determine which organizations are valuable for resale. Qakbot transitions to human re-entry by a motivated operator based on the company or network profile obtained during reconnaissance. The consequences are likely to involve ransomware and data exfiltration as well as increased scope of organizational compromise.
Read these blogs for details:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Assume that this device is compromised. Inspect the device thoroughly, check for malicious activities in its timeline and isolate it from the network if possible.
- Investigate how the affected endpoint might have been compromised. Check web and email traffic to determine how the payload arrived.
- Check for credential theft attempts. Even without clear indicators, consider decommissioning or resetting all accounts used on this device.
- Determine how this device was compromised by checking the mailbox for unsolicited emails that contained suspicious attachments or links, or by scanning the device for the presence of Qakbot.
- Ensure server systems are restricted from accessing the internet for arbitrary browsing, downloads, or malware command-and-control traffic by using network firewall rules at the perimeter as well as proxy settings.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.