Layered defense blocks financial malware from infiltrating Illinois community bank.

Home
Solutions

Technology
Powering the future of wealth with enterprise platform solutions that address complex business challenges

Operations
Achieving operational excellence with business process outsourcing and data management that help clients improve efficiency and performance

Asset management
Connecting investors to what matters most, so they can achieve their goals and make confident decisions

Featured
Insights

Corporate insights
Perspectives and happenings from our leaders and experts

Newsroom
The latest news and announcements

Featured
Investor relations

Overview
The latest financial information for shareholders

Events and webcasts
Timely shareholder announcements and event information

Governance

Reports and filings

Stock information

Board diversity matrix

Featured
Discover SEI ^®

Our story
Who we are, what we do, and how we do it.

Our commitment
Building brave futures through the power of connection.

Our leadership team

Newsroom

Careers

Featured

November 8, 2023

3 MIN READ

Client Profile

Well-established community and retail bank
Federally chartered bank with eight locations
Over $800 million in assets
More than 100 employees; a small IT staff
Partners with SEI sphere for cybersecurity services

The modern-day banking Trojan

Qakbot, also known as QBot or Pinkslipbot, is a banking Trojan, a type of malware that’s known to target financial institutions and their customers. It is extremely versatile, initially designed to steal banking credentials to perform wire fraud and drain online banking accounts, but also known to spy on financial operations and install ransomware.

QakBot works by manipulating web browser sessions through web injections to make automated clearing house (ACH) payments. The malware features worm capabilities that self-replicate through shared drives and removable media, and uses powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money.

Though Qakbot has been around since 2007, newer versions are classified as high-severity threats due to adoption of highly evasive adaptive threat (HEAT) techniques as well as fast threat actor movements (within hours).

A spike in deliveries

In March and April 2023, we observed multiple Qakbot deliveries targeting our client using our Operational Real-time Envelope Opening (OREO), a proprietary email filtering technology.

How it works: Operational Real-time Envelope Opening, or OREO, works on top of existing email protection tools to blind carbon copy (BCC) our system on every email sent to our clients. OREO decrypts attachments, makes sure they’re clean by checking for specific signatures, then re-encrypts them and sends the email to its destination.

Coverage for all phases

By design, our defenses closely parallel key steps in the Cyber Kill Chain¹, providing multiple opportunities for remediation at every stage of attack:

Delivery – YARA is an open-source tool that exploits code similarities between malware samples within a family to identify malware.² SEI Sphere has multiple YARA detections in place via OREO to detect malicious file attachments containing the Qakbot malware. These detections are what initially alerted SEI to these deliveries.
Exploitation – The primary site of exploitation appeared to come from a vast number of compromised mailboxes. Using OREO, we observed the attackers communicating using conversations and subjects from old emails in an attempt to lure the end user into thinking they were continuing conversations from a legitimate email thread.
Installation – Had SEI Sphere not purged the email from a user’s inbox and the user proceeded to click on the malicious attachment, our firewall technology³ would have been able to detect and block communications to secondary download sites based on its malware detection policy. If the firewall had failed or was not in place and secondary download was successful, our next-gen antivirus⁴ would have then detected the attempted execution of the scripts and blocked them from running.
Command and control (C2) – The domains used in most of these attacks were newly registered domains. Had all previous measures failed, attempted connections to command and control would have been prohibited by firewall policy to block connections to newly registered domains. As these campaigns evolve, SEI Detection Engineering continues to write rules to detect communications to associated C2 channels.

Nothing to see here

SEI had significant coverage in all stages of this cyberattack to help ensure that any future attacks of this nature would be detected and remediated with minimal impact to the client. We could do the same for you.

CrowdStrike and Palo Alto Networks are not affiliated with SEI or its subsidiaries.

¹Lockheed Martin, “The Cyber Kill Chain^®,” lockheedmartin.com.

²National Cybersecurity and Communications Integration Center, “Using YARA for Malware Detection,” NCCIC/ICS-Cert Monitor, May/June 2015.

³SEI Sphere uses Palo Alto Network’s next-gen firewall as part of its network protection layer.

⁴SEI Sphere uses CrowdStrike’s next-gen antivirus as part of its endpoint protection layer.

Explore our solutions

See what SEI Sphere has to offer.

Take a look

Let's connect

Learn more about how we can help enhance your cybersecurity posture.