Skip to main content

Layered defense blocks financial malware from infiltrating Illinois community bank.

November 8, 2023
clock 3 MIN READ

Client Profile

  • Well-established community and retail bank
  • Federally chartered bank with eight locations
  • Over $800 million in assets
  • More than 100 employees; a small IT staff
  • Partners with SEI sphere for cybersecurity services

The modern-day banking Trojan

Qakbot, also known as QBot or Pinkslipbot, is a banking Trojan, a type of malware that’s known to target financial institutions and their customers. It is extremely versatile, initially designed to steal banking credentials to perform wire fraud and drain online banking accounts, but also known to spy on financial operations and install ransomware.

QakBot works by manipulating web browser sessions through web injections to make automated clearing house (ACH) payments. The malware features worm capabilities that self-replicate through shared drives and removable media, and uses powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money.

Though Qakbot has been around since 2007, newer versions are classified as high-severity threats due to adoption of highly evasive adaptive threat (HEAT) techniques as well as fast threat actor movements (within hours).

A spike in deliveries

In March and April 2023, we observed multiple Qakbot deliveries targeting our client using our Operational Real-time Envelope Opening (OREO), a proprietary email filtering technology.

How it works: Operational Real-time Envelope Opening, or OREO, works on top of existing email protection tools to blind carbon copy (BCC) our system on every email sent to our clients. OREO decrypts attachments, makes sure they’re clean by checking for specific signatures, then re-encrypts them and sends the email to its destination.

Coverage for all phases

By design, our defenses closely parallel key steps in the Cyber Kill Chain1, providing multiple opportunities for remediation at every stage of attack:

  • Delivery – YARA is an open-source tool that exploits code similarities between malware samples within a family to identify malware.2 SEI Sphere has multiple YARA detections in place via OREO to detect malicious file attachments containing the Qakbot malware. These detections are what initially alerted SEI to these deliveries.
  • Exploitation – The primary site of exploitation appeared to come from a vast number of compromised mailboxes. Using OREO, we observed the attackers communicating using conversations and subjects from old emails in an attempt to lure the end user into thinking they were continuing conversations from a legitimate email thread.
  • Installation – Had SEI Sphere not purged the email from a user’s inbox and the user proceeded to click on the malicious attachment, our firewall technology3 would have been able to detect and block communications to secondary download sites based on its malware detection policy. If the firewall had failed or was not in place and secondary download was successful, our next-gen antivirus4 would have then detected the attempted execution of the scripts and blocked them from running.
  • Command and control (C2) – The domains used in most of these attacks were newly registered domains. Had all previous measures failed, attempted connections to command and control would have been prohibited by firewall policy to block connections to newly registered domains. As these campaigns evolve, SEI Detection Engineering continues to write rules to detect communications to associated C2 channels.

Nothing to see here

SEI had significant coverage in all stages of this cyberattack to help ensure that any future attacks of this nature would be detected and remediated with minimal impact to the client. We could do the same for you.

CrowdStrike and Palo Alto Networks are not affiliated with SEI or its subsidiaries.


1Lockheed Martin, “The Cyber Kill Chain®,”

2National Cybersecurity and Communications Integration Center, “Using YARA for Malware Detection,” NCCIC/ICS-Cert Monitor, May/June 2015.

3SEI Sphere uses Palo Alto Network’s next-gen firewall as part of its network protection layer.

4SEI Sphere uses CrowdStrike’s next-gen antivirus as part of its endpoint protection layer.


Explore our solutions

See what SEI Sphere has to offer.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.