VB2016 paper: Diving into Pinkslipbot's latest campaign

Posted by   Martijn Grooten on   Jun 12, 2017

Pinkslipbot, also known as Qakbot or Qbot, is a banking trojan that makes the news every once in a while, yet never seems to get the attention of the world's Zbots and Dridexes. I looked at the malware myself three years ago, but since then it has been updated several times, the most recent update having been written about in an IBM blog post, which focused on the malware causing Active Directory lockouts in many organizations.

Pinkslipbot was also the subject of a VB2016 paper by McAfee (then Intel Security) researchers Sanchit Karve, Guilherme Venere and Mark Olea, who not only looked at the malware's then latest campaign, but also provided a detailed overview of its inner workings and its C&C infrastructure. The fact that it had infected around 100,000 devices (mostly within organizations in North America) underlines that it is important for the security industry not to overlook this malware.

Following the recent renewed interest in the malware, we have published Sanchit, Guilherme and Mark's full paper (HTML and PDF). Unfortunately, no video of their presentation is available.

 

pg7_fig8_infrastructure.png

At this year's VB conference (VB2017), several of the presentations on the programme deal with the issue of banking malware, including one on the prominent Dridex trojan and one that looks at how browsers are being abused by today's banking trojans.

VB2017 takes place 4-6 October in Madrid, Spain. Registration is now open - register before 30 June for a 10% Early Bird discount!

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Throwback Thursday: Giving the EICAR test file some teeth

The 68-byte EICAR test file plays as important a role today as it did 19 years ago. In this week's Throwback Thursday we look back at a VB99 conference paper in which Randy Abrams described how this 'miracle tool' worked and how it could be used.

XMRig used in new macOS cryptominer

A new piece of cryptocurrency-mining malware on macOS has been found to use the popular XMRig miner.

Tendency for DDoS attacks to become less volumetric fits in a wider trend

CDN provider Cloudflare reports an increase in DDoS attacks targeting layer 7 and focusing on exhausting server resources rather than sending large volumes of data. This fits in a wider trend.

Turkish Twitter users targeted with mobile FinFisher spyware

Through fake social media accounts, users were tricked into installing an Android application that was actually a mobile version of the FinFisher spyware.

Hide'n'Seek IoT botnet adds persistence

The Hide'n'Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart.