Malware shipping on Thumb Drives from China

In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites

Yet another security breach, this time at a financial institution, using malware located on a USB thumb drive.  The malware was previously placed on the drives, which were purchased in bulk by the financial institution from the manufacturer in China.  The FBI forensics have determined that the malware variant was placed on the drives prior to entry into the United States.  This would have people believing that not only was this on purpose, but also targeted.

One of the driving concerns around the Qakbot malware is that it is extremely persistent.  Every piece of infected software and hardware needs to be cleaned, or it's like you didn't do anything at all.  Failure to remove the malware from every piece of infected hardware will result in the malware spreading back out again.  The huge issue with this is the malware can appear gone, yet you turn on a computer you forgot about and everything is infected again.  This is a major cost concern, as big companies could be looking at potentially disinfecting their devices several times.

Prevention

This form of malware propagates through physical removal drives, network attached drives, and network means such as email.  Intrusion prevention software is highly recommended for anyone on a system that needs to be protected from malware threats such as qakbot.  

For signature-based intrusion detection systems, ensure that the hash value for known Qakbot variants are included. The MD5 value for the variant identified in this PIN was: ff0e3ec80faafd04c9a8b375be77c6b6. This hash value can change, so be prepared to use other advanced detection systems.

Many intrusion prevention systems employ a means to physically block access to USB or other attached devices unless approved.  This can be a huge helper in preventing physical transmission of the malware. 

  • As for email, most common sense would work for any malware, including Qakbot and variants. 
  • You should not be opening email that you do not recognize. 
  • Your email program should block images by default. 
  • You should never download an attachment unless you absolutely trust the source, and still check!!!

The nerd info

Qakbot is an information stealing worm—originally discovered in 2007 with a major update in 2017—that propagates through removable drives, network shares, and Web pages. The most common vector of intrusion for Qakbot is malicious attachments to phishing emails. Once executed, Qakbot spreads to other shared folders and uses Server Message Block (SMB) protocol to infect other machines. Qakbot has keylogging capabilities, and is able to propagate across network environments through a single instance within that network.

sources: Public Intelligence