Security News > 2022 > January > Researchers Decrypted Qakbot Banking Trojan’s Encrypted Registry Keys

Cybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the insertion of encrypted configuration data into the Windows Registry.

Although mainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new functionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of loading ransomware on infected machines.

Newer versions of Qakbot have also gained the ability to hijack email and browser data as well as insert encrypted configuration information pertaining to the malware into the registry as opposed to writing them to a file on disk as part of its attempts to leave no trace of the infection.

"While QakBot is not going fully fileless, its new tactics will surely lower its detection," Hornetsecurity researchers pointed out in December 2020.

Trustwave's analysis into the malware aims to reverse engineer this process and decrypt the configuration stored in the registry key, with the cybersecurity company noting that the key used to encrypt the registry key value data is derived from a combination of computer name, volume serial number, and the user account name, which is then hashed and salted along with a one-byte identifier.

"The SHA1 hash result will be used as a derived key to decrypt the registry key value data respective to the ID using the RC4 algorithm," the researchers said, in addition to making available a Python-based decryptor utility that can be used to extract the configuration from the registry.

News URL

https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html