The goal of this presentation is to study and analyse the evolution of the code and the capabilities of Qakbot. In particular, we’ll identify new features being added over time, features that remain stable, and features that are removed over the observation period. The analysis shall also give us information on the evolution of the attacker’s goals and tactics.

All this research is based on the study of the binary code of the Qakbot payload. The level of presentation shall contain high level insights accessible to a broader audience and also contain explanations at assembly level appealing to a more technically inclined audience. By analysing the binaries distributed on the Qakbot botnets, it is clear how the botnet updates the version of Qakbot it is distributing to always have the latest version running on infected machines.

In the following we’re outlining some preliminary data and findings which we’ll evolve further towards our presentation.