Friday 7 October 11:30 - 12:00, Green roomSanchit Karve (Intel Security)
Guilherme Venere (Intel Security)
Mark Olea (Intel Security)W32/Pinkslipbot (a.k.a. Qakbot), an information stealer active since 2009, is known to consistently be released by its actors in waves between hiatuses. In order to cover their tracks, the attackers use the bot to transfer encrypted stolen credentials onto a compromised FTP server, allowing them to transfer the encrypted files at their convenience without revealing their IP addresses to malware researchers.Based on two weeks’ of infection data, Intel Security has seen infections from more than 100 unique Pinkslipbot versions spread across 41,000 machines in 120 countries, which include several medical and educational institutions as well as numerous government and military organizations, primarily in North America. The malware is known to steal digital certificates, email and online banking credentials, medical histories, credit card and social security numbers, email addresses and phone numbers, social media accounts and credentials for internal resources. Such copious amounts of confidential information and intellectual property stolen from businesses (including software companies) demonstrates the extent of damage the bot can cause.This paper presents a detailed account and analysis of the malware's components (including its ability to tunnel connections and transfer money directly from bank accounts), the bot's incremental evolution, the potential connection with the groups behind Dridex, Neverquest and Hesperbot, and describes a key mistake made during the malware release process that accelerated our analysis. Also explained is the design of the bot’s decoupled architecture which gives it resiliency to adapt to changes in the bot's infrastructure.Click here for more details about the conference.