A strain of banking malware that has been around since 2009 has reappeared and is locking users out of corporate domains, leaving them unable to access servers and other systems.
Called Qakbot, the new strain has been observed by researchers at IBM's X-Force research team who say it appears to be linked to a spate of Active Directory lockouts.
The first of these attacks, which deny users access to the data which is used to authenticate and authorise users, was spotted last week. The malware itself is a banking Trojan known to target businesses to drain their online banking accounts.
It has worm capabilities to self-replicate through shared drives and removable media. It uses powerful information-stealing features to spy on users' banking activity and eventually defraud them of large sums of money.
This time, the malware has spread through networks and is locking users out of their accounts by use of automated logon attempts.
“To access and infect other machines in the network, the malware uses the credentials of the affected user and a combination of the same user's login and domain credentials, if they can be obtained from the domain controller (DC),” the researchers said.
“Qakbot may collect the username of the infected machine and use it to attempt to log in to other machines in the domain. If the malware fails to enumerate usernames from the domain controller and the target machine, the malware will use a list of hardcoded usernames instead.”
The researchers said under certain domain configurations, the malware's dictionary attack for accessing the target machines can result in multiple failed authentication attempts, which eventually trigger an account lockout.
The main purpose of the Trojan is take over the bank accounts of a business, and possibly those of infected employees who browse their online banking at work.
It is also good at evading detection and stays resident on systems, according to the researchers.
"Overall, Qakbot's detection circumvention mechanisms are less common than those used by other malware of its class. Upon infecting a new endpoint, the malware uses rapid mutation to keep AV systems guessing. It makes minor changes to the malware file to modify it and, in other cases, recompiles the entire code to make it appear unrecognisable,” they said.
Paul Calatayud, chief technology officer at FireMon, said AD lockout was more of an effect or byproduct of the malware attempt at account numeration.
“There are obfuscation techniques within this malware that does make it hard for detection and removal. First, the malware is downloaded over a period of time in chunks to bypass network based malware detection. Once on the machine, the malware attacks the antivirus and changes itself to avoid further detection,” he said.
Calatayud said users should avoid accessing their personal bank accounts while on work machines and deploy two-factor on any important accounts whenever possible.