How SEI Sphere® aligned its defense solutions to prevent a stealthy banking Trojan from moving beyond the front door.
Layered defense blocks financial malware from infiltrating Illinois community bank.
Qakbot, also known as QBot or Pinkslipbot, is a banking Trojan, a type of malware that’s known to target financial institutions and their customers. It is extremely versatile, initially designed to steal banking credentials to perform wire fraud and drain online banking accounts, but also known to spy on financial operations and install ransomware.
QakBot works by manipulating web browser sessions through web injections to make automated clearing house (ACH) payments. The malware features worm capabilities that self-replicate through shared drives and removable media, and uses powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money.
Though Qakbot has been around since 2007, newer versions are classified as high-severity threats due to adoption of highly evasive adaptive threat (HEAT) techniques as well as fast threat actor movements (within hours).
In March and April 2023, we observed multiple Qakbot deliveries targeting our client using our Operational Real-time Envelope Opening (OREO), a proprietary email filtering technology.
How it works: Operational Real-time Envelope Opening, or OREO, works on top of existing email protection tools to blind carbon copy (BCC) our system on every email sent to our clients. OREO decrypts attachments, makes sure they’re clean by checking for specific signatures, then re-encrypts them and sends the email to its destination.
By design, our defenses closely parallel key steps in the Cyber Kill Chain1, providing multiple opportunities for remediation at every stage of attack:
SEI had significant coverage in all stages of this cyberattack to help ensure that any future attacks of this nature would be detected and remediated with minimal impact to the client. We could do the same for you.
CrowdStrike and Palo Alto Networks are not affiliated with SEI or its subsidiaries.
1Lockheed Martin, “The Cyber Kill Chain®,” lockheedmartin.com.
2National Cybersecurity and Communications Integration Center, “Using YARA for Malware Detection,” NCCIC/ICS-Cert Monitor, May/June 2015.
3SEI Sphere uses Palo Alto Network’s next-gen firewall as part of its network protection layer.
4SEI Sphere uses CrowdStrike’s next-gen antivirus as part of its endpoint protection layer.
See what we have to offer.