Diving into Pinkslipbot's Latest Campaign

Friday 7 October 11:30 - 12:00, Green room

Sanchit Karve (Intel Security)
Guilherme Venere (Intel Security)
Mark Olea (Intel Security)

W32/Pinkslipbot (a.k.a. Qakbot), an information stealer active since 2009, is known to consistently be released by its actors in waves between hiatuses. In order to cover their tracks, the attackers use the bot to transfer encrypted stolen credentials onto a compromised FTP server, allowing them to transfer the encrypted files at their convenience without revealing their IP addresses to malware researchers.

Based on two weeks’ of infection data, Intel Security has seen infections from more than 100 unique Pinkslipbot versions spread across 41,000 machines in 120 countries, which include several medical and educational institutions as well as numerous government and military organizations, primarily in North America. The malware is known to steal digital certificates, email and online banking credentials, medical histories, credit card and social security numbers, email addresses and phone numbers, social media accounts and credentials for internal resources. Such copious amounts of confidential information and intellectual property stolen from businesses (including software companies) demonstrates the extent of damage the bot can cause.

This paper presents a detailed account and analysis of the malware's components (including its ability to tunnel connections and transfer money directly from bank accounts), the bot's incremental evolution, the potential connection with the groups behind Dridex, Neverquest and Hesperbot, and describes a key mistake made during the malware release process that accelerated our analysis. Also explained is the design of the bot’s decoupled architecture which gives it resiliency to adapt to changes in the bot's infrastructure.

Click here for more details about the conference.


Sanchit Karve

Sanchit Karve works at Intel Security (previously McAfee Labs) as an anti-malware researcher, realizing his passion for reverse engineering discovered in his early teens. He holds a Master's degree in computer science from Oregon State University and was awarded Virus Bulletin's Péter Szőr Award for best technical research in 2015 for his work on the AAEH/Beebone botnet which facilitated its takedown by global law enforcement agencies in April 2015. You can find him in his spare time binge-gaming RPGs, hiking aimlessly across the Oregon hills, or wherever heavy metal gigs take him (Up the Irons and long live the Priest! \m/).



Guilherme Venere

Guilherme is a malware research lead at Intel Security's Global Threat Response group. It is part of his daily duties to help customers get through malware outbreaks, create AV signatures and study malware behaviour and trends. As part of these duties, Guilherme is frequently involved in fighting prevalent malware families and devising methods to improve detection proactively. Guilherme has been in the field of malware research for eight years and has worked as a security analyst and incident responder at a national backbone provider while living in Brazil, dealing daily with all kinds of security issues related to network infrastructure, spam and malware distribution among customer networks. He also helped implement the Brazilian Academic Network Honeynet Project and Academic Certificate Authority.


Mark Olea

Mark Olea is a security researcher at Intel Security Group (previously McAfee). He joined McAfee in late 2008. Prior to that he worked as an anti-malware engineer at Trend Micro. He graduated from Ateneo De Naga with a Bachelor's degree in computer engineering. Mark is married with two kids. During his free time, he enjoys playing with his kids, watching TV and tinkering with IoT stuff.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.