Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

Security News ThreatsCybercrime Uncategorized

The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today’s threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.

Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.

Figure 1. Qakbot and Emotet monthly machine encounters show an upward trend. This data doesn’t include Qakbot and Emotet variants blocked by automation and cloud rules.

Even though these malware families are typically known to target individual online banking users, more and more enterprises, small and medium businesses, and other organizations have been affected by indiscriminate infections.

Figure 2. Breakdown of Qakbot and Emotet machine encounters

Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack.

Typical Qakbot and Emotet kill chain

Over the years, the cybercriminals behind Qakbot and Emotet have improved the code behind their malware. They have evolved to evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.

We mapped some of the common behaviors we’ve seen in Qakbot and Emotet variants and see a lot of similarities.

Figure 3. Qakbot and Emotet attack kill chain. Note that some Qakbot and Emotet variants might not exhibit all of the behaviors above and might be capable of unique routines.

Because of similarities in behavior, Qakbot and Emotet can be mitigated by similar security measures.

Steps to mitigate Qakbot and Emotet

Based on our experience helping organizations get rid of Qakbot and Emotet, the following steps mitigate infection and ultimately remove the said malware from corporate networks:

  1. Stop the spread of malware and cut off communication with its command-and-control server

    • Cut off Internet access or disconnect the affected machines from the network until they have been cleaned. Windows Defender Advanced Threat Protection customers can isolate affected machines with one click. You can also block infected machines at the edge firewall, unplug machines from the network, or create rules on Windows Defender Advanced Firewall (and push these out via Group Policy Objects (GPO)).
    • Stop sharing folders that show signs of infection or set shared folders to read-only. Removing admin shares is an option that should only be used as a last resort as this can cause other issues and hinder management
    • Practice credential hygiene. Remove unnecessary privileges, or disable privileged accounts that have been observed to spread malware using SMB.
  2. Prevent the malware from automatically running in affected machines

    • Lock down the Scheduled Tasks folder via GPO to prevent new tasks from being created. In GPO, go to Computer Config > Windows Settings > Security Settings > File System > Add File. Add the following:
      • %windir%\tasks
      • %windir%\system32\tasks

      For each one, in the configuration dialog box, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System, and then click OK.
      In the Add Object dialog box, click Replace existing permissions in all subkeys with inheritable permissions and click OK.
      (Note: When the crisis is over, you can revert this setting by restoring permissions and reapplying the group policy—removing the GPO will not restore original permissions.)

    • Disable autorun.
  3. Remove Qakbot, Emotet, and other related malware

  4. Monitor the network for possible reinfection

    • Determine and address the initial attack vector. Use security solutions like Windows Defender ATP, which provides detailed timelines and other contextual information to understand the nature of attacks and take response actions.
    • Slowly reintroduce network connectivity to the subset of the machines that have been cleaned. Monitor them for reinfection.
    • Reintroduce network connectivity to all affected machines that are believed to be clean.
    • Turn on real-time protection in your antivirus. In Windows 10, enable cloud-based protection and automatic sample submission in Windows Defender Antivirus. With these features enabled, Windows Defender Antivirus provides advanced real-time protection against never-before-seen threats.

Preventing Qakbot and Emotet infections with Windows 10

While the steps above can rid networks of Qakbot and Emotet, preventing infection eliminates opportunities for these threats to steal info. Windows 10 S is a streamlined platform with Microsoft-verified security. It blocks malware like Qakbot and Emotet and other malicious programs by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.

Additionally, Windows 10 has a comprehensive defense stack that can help block and detect malware like Qakbot and Emotet.

Use Microsoft Edge to block Qakbot and Emotet infections from the web. Microsoft Edge opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads. Its click-to-run feature for Flash can stop malware infections that begin with exploit kits. With Windows Defender Application Guard, Microsoft Edge has an additional hardware isolation-level capability on top of its exploit mitigation and sandbox features.

Block malicious emails carrying trojan droppers that install Qakbot and Emotet using Microsoft Exchange Online Protection (EOP), which has built-in anti-spam filtering capabilities that help protect Office 365 customers. Secure mailboxes against email attacks with Office 365 Advanced Threat Protection, which blocks unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. anti-spam filters also provide protection against malicious emails.

Use Credential Guard to protect domain credentials and help stop malware from spreading using compromised credentials.

Enable Windows Defender AV to detect Qakbot and Emotet variants, as well as all related malware such as droppers and downloaders. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques and enhanced behavior analysis to detect common and complex malware code. It provides advanced real-time protection against new and unknown files using the Windows Defender AV cloud protection service.

Use Windows Defender Advanced Threat Protection to flag Qakbot or Emotet infections and to enable security operations personnel to stop the spread of these threats in the network. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, command-and-control communication, and lateral movement. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to attacks.

These end-to-end security features in Windows 10 help defend against increasingly complex malware attacks. At Microsoft, we continue to harden Windows 10 against attacks. With Fall Creators Update, we shipped several new and enhanced security features that make Windows 10 the most secure version of Windows yet. Learn more about these features:

It is also important for organizations to augment these security technologies with a security-aware workforce. Educating employees on social engineering attacks and internet safety, and training them to report suspicious emails or websites can go a long way in protecting networks against cyberattacks.

Keith Abluton, Windows Escalation Services

Rodel Finones, Windows Defender Research


Indicators of compromise

The following are IOCs for recent Qakbot and Emotet variants:


Qakbot malware (SHA256):




%APPDATA%\Microsoft\<random folder name>\<random file name>, for example:


%APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx32.dll (configuration file)

Registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: <random value name>

With data: “%APPDATA%\Microsoft\<random folder name>\<random file name>”

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>

Sets value: ImagePath

With data:  “%APPDATA%\Microsoft\<random folder name>\<random file name> /D”

Sets value: Type

With data: dword:00000010

Sets value: “Start”

With data: dword:00000002

Sets value: “DisplayName”

With data: “Remote Procedure Call (RPC) Service”

Sets value: “ErrorControl”

With data: dword:00000000

Sets value: “DependOnService”

With data: “Dnscache”

Sets value: “ObjectName”

With data: “LocalSystem”

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: ctfmon.exe

With data: “%APPDATA%\Microsoft\<random folder name>\<random file name>” /c “%System Folder%\ctfmon.exe”

Command-and-control servers:


Emotet downloader (SHA256):


Emotet malware (SHA256):




%appdata%\roaming\microsoft\windows\start menu\programs\startup\[random].lnk


%localappdata%\microsoft\windows ex: C:\Windows\System32\netshedule.exe

Registry modifications:

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568  Type & Size>

Sets value: ‘Type’

With data: ‘0x00000010’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568  Type & Size>

Sets value: ‘Start’

With data: ‘0x00000002’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568  Type & Size>

Sets value: ‘ErrorControl’

With data: ‘0x00000000’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568  Type & Size>

Sets value: ‘ImagePath’

With data: ‘C:\Windows\system32\netshedule.exe’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568  Type & Size>

Sets value: ‘DisplayName’

With data: ‘netshedule’

Command-and-control servers:

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks