Attivo Networks Blogs

Qakbot Malware… It’s Back, Nastier Than Ever, and with a BullsEye on Healthcare

Be thankful if you haven’t heard the name or encountered Qakbot or Pinkslipbot, which are variants of this malware. It is a particularly nasty and evasive form of malware that is self-propagating. It is known to copy itself on the network and onto removable drives, and while moving laterally is known to mutate making it very difficult to analyze and stop.

Attivo has recently seen an outbreak of Qakbot in the medical industry and is working with several security operations teams to help them be able to detect, analyze, and remove this malware in their networks. With Attivo forensics, security teams are also further empowered with C&C IP addresses so that they can proactively update prevention systems and protect against the exfiltration of data.

This blog provides a brief overview of how Qakbot works in the Kill Chain and how by adding in the Attivo Deception Platform, security operations teams can quickly detect, analyze and remediate against these threats.

Exploring Qakbot in the Kill Chain

Qakbot initial

Qakbot Foothold


Adding Deception to Deceive and Delay Attacker


Attivo Forensics and Threat Intelligence

The Attivo BOTsink Multi-dimension Correlation Engine is able to explode attacks safely within a VM. A port can also be opened to communicate with Command and Control for other threat intelligence such as methods, tools, and intent.

  • Action:
    • Automatic BOTsink detection or
    • Sample upload to BOTsink for analysis




Organizations with some of the best-in-class prevention system are demonstrating that they cannot reliably stop Qakbot.

  • New malware strain is going undetected by signature-based systems
  • While moving laterally the malware changes itself making it hard to detect and stop
  • The web exploits utilized legitimate looking java scripts and are bypassing security prevention systems.

Deception is playing a critical role in protecting against Qakbot attacks. Not reliant on known signatures or attack patterns, Attivo can deceive the attacker into engaging. Once detected, the attack is analyzed and in-depth reporting provided for quarantining and updating of prevention systems. Some of the core cited customer value is the ability to detect Qakbot during lateral movement. It’s ability to mutate has challenged many operations teams.

Additional Resources:

No Comments

Post a Comment

five + eight =